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We  propose  a  definition  of  infrastructure  resilience  that  is  tied  to  the  operation  (or  func¬ 
tion)  of  an  infrastructure  as  a  system  of  interacting  components  and  that  can  be  objectively 
evaluated  using  quantitative  models.  Specifically,  for  any  particular  system,  we  use  quantita¬ 
tive  models  of  system  operation  to  represent  the  decisions  of  an  infrastructure  operator  who 
guides  the  behavior  of  the  system  as  a  whole,  even  in  the  presence  of  disruptions.  Modeling 
infrastructure  operation  in  this  way  makes  it  possible  to  systematically  evaluate  the  conse¬ 
quences  associated  with  the  loss  of  infrastructure  components,  and  leads  to  a  precise  notion 
of  “operational  resilience”  that  facilitates  model  verification,  validation,  and  reproducible  re¬ 
sults.  Using  a  simple  example  of  a  notional  infrastructure,  we  demonstrate  how  to  use  these 
models  for  (1)  assessing  the  operational  resilience  of  an  infrastructure  system,  (2)  identifying 
critical  vulnerabilities  that  threaten  its  continued  function,  and  (3)  advising  policymakers  on 
investments  to  improve  resilience. 
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1.  INTRODUCTION 

The  United  States  has  recently  suffered  repeated 
disruptions  of  its  national  infrastructure  from  natu¬ 
ral  disasters  (e.g.,  Hurricane  Katrina  in  2005,  Super¬ 
storm  Sandy  in  2012),  accidental  failures  (e.g.,  the 
Northeast  Blackout  of  2003),  and  intentional  attack 
(e.g.,  World  Trade  Center  and  Pentagon  attacks  of 
September  11, 2001).  In  response  to  these  events  and 
to  the  perceived  threat  of  future  ones,  the  U.S.  gov¬ 
ernment  has  identified  16  critical  infrastructure  and 
key  resource  (CI/KR)  sectors.^^^  The  term  “critical 
infrastructure”  is  defined  in  the  USA  Patriot  Act  of 
2001^^)  to  mean  “systems  and  assets,  whether  phys¬ 
ical  or  virtual,  so  vital  to  the  United  States  that  the 
incapacity  or  destruction  of  such  systems  and  assets 
would  have  a  debilitating  impact  on  security,  national 
economic  security,  national  public  health  or  safety,  or 
any  combination  of  those  matters.” 
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Presidential  Policy  Directive  21  (PPD21)  sum¬ 
marizes  the  government’s  objective  with  regard  to 
critical  infrastructure:  “The  Federal  Government 
also  has  a  responsibility  to  strengthen  the  security 
and  resilience  of  its  own  critical  infrastructure,  for  the 
continuity  of  national  essential  functions,  and  to  or¬ 
ganize  itself  to  partner  effectively  with  and  add  value 
to  the  security  and  resilience  efforts  of  critical  in¬ 
frastructure  owners  and  operators. In  PPD21,  the 
term  “resilience”  is  defined  explicitly  to  mean  “the 
ability  to  prepare  for  and  adapt  to  changing  condi¬ 
tions  and  withstand  and  recover  rapidly  from  disrup¬ 
tions.  Resilience  includes  the  ability  to  withstand  and 
recover  from  deliberate  attacks,  accidents,  or  natu¬ 
rally  occurring  threats  or  incidents.” 

In  this  article,  we  consider  the  challenges  asso¬ 
ciated  with  assessing  and  improving  the  operational 
resilience  of  critical  infrastructure  systems.  The  term 
“operational  resilience”  was  introduced  in  an  ear¬ 
lier  policy  document*-^^  in  the  context  of  needing  to 
“make  the  system  better  able  to  absorb  the  impact 
of  an  event  without  losing  the  capacity  to  function.” 
We  adopt  this  term  explicitly  to  mean  the  ability  of 
a  system  to  adapt  its  behavior  to  maintain  continuity 
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of  function  (or  operations)  in  the  presence  of  disrup¬ 
tions. 

In  response  to  the  growing  literature  on  in¬ 
frastructure  resilience,  we  describe  a  specific  set 
of  analytical  tools  based  on  quantitative  models 
of  system  operation.  Specifically,  we  consider  the 
perspective  of  the  analyst  who  is  charged  with  (1) 
assessing  the  operational  resilience  of  an  infrastruc¬ 
ture  system,  (2)  identifying  critical  vulnerabilities 
that  threaten  its  continued  function,  and  (3)  advising 
policymakers  on  investments  to  improve  resilience. 
We  present  an  analysis  technique  based  on  the  use 
of  a  prescriptive  model  that  represents  the  decisions 
of  an  infrastructure  operator.  That  model  could 
be  an  optimization  model,  an  identity  simulation 
of  operating  protocols,  a  heuristic  algorithm  that 
mimicks  a  human  operator’s  decisions,  or  one  of 
any  number  of  other  quantitative  tools  that  can 
help  determine  how  to  operate  a  system,  even  in 
the  presence  of  disruptions.  This  technique  requires 
that  we  capture  the  essential  domain-specific  details 
about  the  infrastructure  system  in  terms  of  its  op¬ 
erator’s  goals  and  the  limitations  on  its  capabilities. 
This  also  requires  that  we  have  an  unambiguous 
measure  of  system  performance  for  the  infrastruc¬ 
ture.  While  such  features  are  often  not  present  for 
general  problems  in  national  security  and  defense, 
we  elaborate  on  the  special  features  of  infrastructure 
systems  that  make  this  technique  well  suited.  To 
assess  the  worst-case  disruptions  to  infrastructure 
function  and  to  identify  the  most  effective  defensive 
measures  against  them,  we  apply  the  game-theoretic 
attacker-defender  and  defender-attacker-defender 
modeling  techniques  introduced  by  Brown  et 
We  illustrate  the  technique  with  a  simple  example 
and  provide  mathematical  details  in  the  appendices. 

A  main  objective  of  this  article  is  to  advocate  in 
favor  of  “operational”  models  that  capture  domain- 
specific  details  relevant  to  the  operation  of  an  infras¬ 
tructure  system.  Our  intent  is  not  to  replace  current 
definitions  of  resilience;  most  existing  definitions  cap¬ 
ture  some  of  the  essential  aspects  of  resilience,  but 
with  very  few  exceptions  they  neither  provide  quan¬ 
titative  (and  definitely  not  operationally  based)  mea¬ 
sures  of  resilience,  nor  do  they  provide  models  that 
can  be  used  to  improve  resilience.  Our  primary  con¬ 
tribution  in  this  article  is  to  enhance  these  defini¬ 
tions  by  making  them  more  precise,  and  by  providing 
quantitative  models  that  are  tied  to  the  performance 
of  the  systems  in  a  way  that  is  of  direct  relevance  to 
the  owners  and  operators  of  these  systems.  We  hope 
that  these  examples — worked  out  in  detail  with  our 
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definitions,  assumptions,  mathematical  models,  and 
solution  algorithms — will  contribute  analytical  sup¬ 
port  to  the  practice  of  assessing  resilience  and  thus 
enhancing  infrastructure  protection. 

We  develop  our  models  sequentially  over  the 
next  three  sections  of  the  article.  In  Section  2,  we 
discuss  the  central  Operator  Model.  Section  3  em¬ 
bellishes  the  Operator  Model  to  create  the  Attacker 
Model,  which  identifies  and  evaluates  the  main  vul¬ 
nerabilities  in  a  system  and  that  can  be  used  both  to 
assess  the  potential  damage  to  a  system  due  to  a  set 
of  possible  attacks  and  to  define  the  resilience  of  a 
system  to  a  set  of  attacks.  In  Section  4,  we  discuss  the 
Defender  Model,  which  has  both  the  Attacker  Model 
and  the  Operator  Model  as  subproblems  and  that  can 
identify  optimal,  budget-limited  ways  to  improve  the 
resilience  of  the  system  to  such  attacks. 

2.  IMPORTANCE  OF  MODELING  THE 
OPERATION  OF  INFRASTRUCTURE 
SYSTEMS 

Our  view  of  critical  infrastructure  systems  holds 
that  the  function  of  each  system,  and  especially  con¬ 
tinuity  of  that  function,  is  of  primary  importance.  In 
this  article,  we  view  an  infrastructure  as  a  collection 
of  interconnected  components  that  work  together 
as  a  system  to  achieve  a  particular,  domain-specific 
function.  It  does  this  through  either  human  or  auto¬ 
mated  decision  making  that  responds  to  the  demands 
placed  on  the  system  to  provide  the  best  possible 
function  in  any  given  situation.  This  decision  making 
is  commonly  termed  the  operation  of  the  system,  and 
an  operational  model  of  a  system  is  any  mathematical 
model  that  evaluates  the  performance  of  a  system 
(through  a  cost  function,  or  some  other  quantita¬ 
tive  evaluation  of  its  operation)  and  that  explicitly 
includes  this  operational  decision  making  in  its 
formulation.  Although  “infrastructure  function” 
in  a  broad  sense  may  be  ambiguous,  the  notion  of 
function  for  any  particular  infrastructure  system  is 
typically  well  defined  and  understood  by  its  owners, 
operators,  users,  and  regulators,  who  develop 
domain-specific  operational  models  of  system  per¬ 
formance.  For  example,  the  function  of  an  electric 
power  transmission  grid  (consisting  of  genera¬ 
tors,  high-voltage  transmission  lines,  transformers, 
etc.)  is  commonly  defined  by  an  industry-standard 
“optimal  power  flow  model”  or  a  related  electrical¬ 
engineering  model  (e.g.,  see  p.  419  of  Wood  and 
Wollenberg^®*)  that  determines  how  well  power  is 
being  delivered. 
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Following  this,  the  importance  of  a  single  compo¬ 
nent  within  an  infrastructure  system  is  based  on  how 
it  contributes  to  the  overall  function  of  that  system, 
which  we  assess  as  follows.  We  use  the  term  disrup¬ 
tion  to  mean  the  loss  of  one  or  more  system  compo¬ 
nents,  and  we  measure  the  consequence  that  results 
from  a  disruption  in  terms  of  the  subsequent  loss  of 
system  functionality.  We  calculate  this  using  the  op¬ 
erational  model  to  evaluate  the  change  in  system  per¬ 
formance  after  the  disruption.  Having  an  operational 
model  that  provides  a  clear  measure  of  system  func¬ 
tion  allows  us  to  systematically  evaluate  the  impor¬ 
tance  of  components  by  considering  the  consequence 
associated  with  their  loss,  but  this  requires  that  we 
assess  how  the  infrastructure  system  will  respond  to 
each  disruption. 

In  general,  the  contribution  of  a  single  compo¬ 
nent  to  system  function  may  depend  on  its  interac¬ 
tions  with  other  components.  For  example,  the  loss 
of  a  single  component  might  not  result  in  any  change 
to  system  function  (because  there  is  redundancy  else¬ 
where),  but  the  simultaneous  loss  of  this  component 
in  combination  with  other  (supposedly)  redundant 
components  might  be  catastrophic  to  the  system.  As 
a  result,  it  is  typically  not  possible  to  assign  a  single 
unique  numerical  value  to  each  component.  More¬ 
over,  attempts  to  rank  infrastructure  components  in 
terms  of  such  numerical  values  are  certain  to  be  mis¬ 
guided  because  there  might  not  be  a  single  most- 
important  one  (see  Alderson  et  alS^^  for  a  detailed 
discussion).  Instead,  it  is  more  appropriate  to  dis¬ 
cuss  the  value  of  sets  of  components  that  character¬ 
izes  how  important  each  individual  is  to  the  payoff 
generated  by  a  coalition  of  players,  but  applied  to 
system  components  instead  of  players,  and  assess¬ 
ing  this  is  considerably  more  complicated.  In  concept, 
we  seek  something  similar  to  the  “Shapley  value”  in 
n-person  cooperative  games*®)  that  characterizes  who 
important  each  individual  is  to  the  payoff  generated 
by  a  coalition  of  players,  but  applied  to  system  com¬ 
ponents  instead  of  players. 

We  caution  against  the  use  of  simple  surrogate 
measures  of  component  value  (such  as  replacement 
cost,  or  historical  importance,  or  how  “connected” 
a  component  is  to  other  components),  as  these  mea¬ 
sures  are  far  too  coarse  to  indicate  a  component’s 
contribution  to  function,  and  therefore  only  have 
an  indirect  relationship  to  system  function.  Even 
in  simple  contexts,  such  as  maximum  flow  network 
problems, the  most  important  component  (i.e., 
the  component  whose  loss  maximally  degrades 
the  flow  in  the  system)  is  not  necessarily  the  one 


with  the  largest  capacity  or  the  one  that  carries  the 
most  flow;  in  general,  these  intuitive  and  appealing 
approximations  do  not  work.*^) 

We  also  caution  against  the  use  of  simple 
surrogate  models  of  system  function  unless  those 
surrogates  are  validated  against  industry-standard 
models  of  performance.  Over  the  last  decade, 
there  has  been  a  large  body  of  work  devoted  to 
the  development  of  purely  topological  models 
of  infrastructure  systems  that  capture  network 
structure,  but  little  else.*^°)  For  example,  some 
researchers  model  the  function  of  an  electric  power 
grid  using  graph-theoretic  models  that  emphasize 
connectivity  measures  but  ignore  the  physics  of 
electricity  transmission,  as  governed  by  capacity, 
inductance,  phase  angles,  etc.*^^’^^)  Our  view  is  that 
these  topological  models  fall  short  of  capturing 
essential  domain-specific  details  needed  to  represent 
the  operation  of  an  infrastructure  system.  This 
view  is  substantiated  by  Hines  et  who  show 

that  “evaluating  vulnerability  in  power  networks 
using  purely  topological  metrics  can  be  misleading.” 
Similar  observations  have  been  made  for  topological 
models  of  the  Internet. 

2.1.  An  “Operational”  View  of  Infrastrnctnre 

The  Department  of  Homeland  Security  (DHS) 
states  that  roughly  85%  of  the  critical  infrastructure 
systems  in  the  United  States  is  owned  or  operated  by 
the  private  sector.*^®*  The  behavior  of  these  infras¬ 
tructure  systems  is  not  arbitrary,  but  reflects  an  orga¬ 
nization  that  is  fundamentally  driven  by  constraints 
that  are  placed  on  their  functionality.*^^)  For  exam¬ 
ple,  there  are  often  functional  requirements  on  the 
system  as  a  whole  (e.g.,  it  needs  to  “work”),  which 
are  often  stated  as  objectives  (e.g.,  minimize  unmet 
demand)  and  then  measured  in  terms  of  system  func¬ 
tion.  For  the  private  sector,  these  objectives  often 
take  the  form  of  “minimize  cost”  or  “maximize  prof¬ 
itability.”  In  addition,  the  behavior  of  the  infrastruc¬ 
ture  is  limited  by  what  is  possible,  due  to  physical, 
economic,  or  regulatory  constraints. 

In  practice,  modern  infrastructure  systems  in¬ 
volve  a  mix  of  humans  (e.g.,  owners,  operators,  man¬ 
agers)  and  autonomous  “agents”  (e.g.,  monitoring 
systems,  feedback  controllers)  that  make  decisions  to 
guide  the  behavior  of  the  system  as  a  whole.  For  ex¬ 
ample,  in  California’s  electric  power  infrastructure, 
the  independent  system  operator  (ISO)  makes  real¬ 
time  decisions  about  where  to  “spin  up”  or  retire 
generators  and  which  switches  to  open  and  close  in 
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the  transmission  grid  so  as  to  route  power  flow  in 
order  to  balance  generation  and  demand,  subject  to 
constraints  on  the  capacity  of  individual  high-voltage 
transmission  lines  and  the  physics  of  electricity/^®^ 
The  ISO  is  aided  by  sophisticated  supervisory  con¬ 
trol  and  data  acquisition  (SCADA)  systems  that 
implement  decision  rules  for  managing  the  system  as 
operating  conditions  change. 

We  refer  to  this  collective  decision-making  entity 
as  “the  operator”  of  the  infrastructure.  Some  infras¬ 
tructure  systems  have  explicit  operators  (e.g.,  electric 
power),  while  others  are  governed  by  the  interaction 
of  many  decision  agents  (e.g.,  drivers  of  vehicles  in  a 
regional  road  system).  In  the  latter  case,  we  can  often 
represent  the  collective  decision-making  behavior  in 
terms  of  an  equilibrium  model. 

The  key  point  is  that  the  operator  makes  deci¬ 
sions  about  the  behavior  of  the  system  in  order  to 
reconcile  these  objectives  (what  we  want  the  system 
to  do)  with  its  constraints  (what  the  system  can  do)  in 
an  intelligent  manner.  The  language  of  constrained 
optimization  is  ideally  suited  to  represent  this  type 
of  decision  problem  (see  Rardin^^^^  for  an  introduc¬ 
tion),  and  we  adopt  constrained  optimization  here¬ 
after,  though  other  types  of  models  such  as  simula¬ 
tions  might  apply  in  other  contexts. 

Optimization  models  of  this  type  are  prescrip¬ 
tive:  potential  courses  of  action  are  represented  using 
decision  variables,  and  the  solution  to  a  particular 
problem  indicates  decisions  that  should  be  taken  to 
reconcile  objectives  and  constraints  in  a  best  possible 
manner  (where  “best”  reflects  the  stated  objective). 

Modeling  the  behavior  of  an  infrastructure 
system  in  terms  of  a  constrained  optimization  prob¬ 
lem  does  not  necessarily  mean  that  we  believe  that 
the  real  operation  of  the  system  is  truly  optimal. 
Rather,  the  key  to  a  “good”  operational  model  of 
infrastructure  is  to  identify  the  essential  structural 
features,  defined  in  terms  of  the  problem’s  objectives 
and  constraints.  We  make  several  arguments  in  sup¬ 
port  of  this  claim.  First,  the  solution  to  a  constrained 
optimization  problem  that  more  less  gets  an  infras¬ 
tructure’s  basic  objectives  and  constraints  correct 
is  going  to  display  behavior  that  looks  a  lot  more 
realistic  than  a  model  of  behavior  that  completely 
ignores  system  function,  operating  objectives,  and 
constraints. This  will  be  the  case  even  if  the 
model  solutions  are  only  near-optimal,  and  even  an 
approximate  solution  to  a  constrained  optimization 
problem  can  provide  insight  into  infrastructure 
behavior.  Second,  real  infrastructure  owners  and 
operators  regularly  formulate  and  solve  constrained 


optimization  problems  to  guide  their  decisions 
about  how  to  run  their  systems.  Often,  there  are 
industry-standard  models  of  infrastructure  that  can 
be  adopted  as  realistic  representations  of  infras¬ 
tructure  behavior.  We  advocate  using  such  models 
whenever  available.  Third,  there  is  now  a  large 
literature  in  operations  research  devoted  to  formu¬ 
lating  and  solving  these  problems.  Recent  advances 
in  mathematics  and  computation  allow  us  to  solve 
problems  of  realistic  scale  and  fidelity  in  this  manner. 

There  is  one  other  key  advantage  to  using  an 
optimization-based  prescriptive  model  of  system 
operation  as  the  starting  point  for  the  study  of  infras¬ 
tructure  behavior:  these  models  naturally  accommo¬ 
date  disruptions  to  infrastructure  as  straightforward 
changes  to  input  data.  For  example,  Salmeron  etal.^^^^ 
present  a  model  of  electric  power  transmission  that 
takes  available  generators,  transmission  lines,  trans¬ 
formers,  and  buses,  and  identifies  the  set  of  power 
flows  that  minimizes  unmet,  prioritized  demand;  this 
model  has  been  validated  as  a  realistic  representation 
of  the  actual  grid.  If  the  systems  loses  a  transformer, 
we  would  like  to  know:  How  will  this  system  adapt 
its  behavior,  and  what  will  be  the  consequences  on 
system  function?  We  simply  need  to  re-solve  the 
same  operator’s  problem,  leaving  the  affected  trans¬ 
former  “out”  of  the  model  (how  exactly  this  happens 
will  depend  on  the  implementation  of  the  model,  but 
it  is  essentially  an  input  modification);  then,  the  so¬ 
lution  to  this  modified  problem  will  indicate  the  best 
possible  response  of  the  system.  Thus,  system  adap¬ 
tation  is  inherent  to  the  model  formulation,  not  an 
afterthought. 

This  basic  form  of  a  decision  model  for  the 
operator  offers  exactly  what  we  need  to  systemati¬ 
cally  evaluate  the  consequences  associated  with  the 
loss  of  sets  of  components.  For  example,  we  can 
investigate  specific  disruption  scenarios  of  interest  by 
rerunning  the  same  model  to  find  the  best  response 
to  each.  However,  because  we  have  defined  the 
set  of  possible  disruptions  in  terms  of  the  loss  of 
components,  we  can  also  consider  a  broader  evalu¬ 
ation  of  all  possible  disruptions  (e.g.,  via  exhaustive 
enumeration). 

Observe  that  you  could  never  do  this  with  a 
model  that  is  purely  descriptive  (e.g.,  via  a  set  of  dif¬ 
ferential  equations  that  describe  a  priori  all  future 
states  of  the  system)  because  it  would  require  that 
you  consider  in  advance  all  of  the  possible  contin¬ 
gencies  in  disruption  and  response,  and  account  for 
them  in  the  predefined  description  of  behavior.  Thus, 
the  use  of  a  prescriptive  model  has  the  benefit  of  not 


566 


Alderson,  Brown,  and  Carlyle 


Fig.  1.  A  notional  infrastructure  system,  (a)  A  white  circle  (node)  represents  a  location  with  demand  equal  to  one  barrel  of  fuel.  A  black 
circle  (node)  represents  a  location  with  supply  equal  to  10  barrels.  Each  link  is  bidirectional,  has  a  fuel  flow  capacity  of  15  barrels,  and  has 
per-barrel  transit  cost  of  $1.  The  penalty  for  unsatisfied  demand  per  node  is  $10  per  barrel.  Nodes  3,  4,  and  16  each  have  two  (parallel, 
redundant)  connections  to  the  rest  of  the  network.  This  network  has  been  built  to  be  N—1  reliable,  meaning  that  the  loss  of  any  single  link 
does  not  disconnect  any  node,  (b)  Shows  baseline  flows  corresponding  to  a  minimum-cost  flow  solution,  which  results  in  a  total  cost  of  $25. 


needing  to  specify  the  entire  “trajectory”  for  system 
behavior  (or  set  of  possible  trajectories)  in  advance. 
Rather,  when  there  is  a  disruption,  one  simply  solves 
for  the  best  course  of  action  going  forward.  This  is 
more  in  line  with  what  real  infrastructure  owners  and 
operators  do  in  practice. 


2.2.  A  Notional  Example 

Consider  a  notional  infrastructure  system  de¬ 
signed  to  distribute  some  commodity,  say,  fuel,  to  dif¬ 
ferent  locations  within  a  city  (the  metaphor  here  is 
a  simplified  petroleum  distribution  system,  but  the 
modeling  technique  is  general).  Fig.  1(a)  presents  a 
simple  distribution  network  between  two  supply  lo¬ 
cations  (represented  by  black  nodes)  and  14  demand 
locations  (represented  by  white  nodes).  Fuel  is  car¬ 
ried  by  links  that  are  bidirectional  (meaning  that  flow 
can  move  in  either  direction)  and  have  a  limited  flow 
capacity.  Assume  that  the  demand  for  fuel  at  each 
demand  location  is  one  barrel  of  fuel,  that  the  supply 
of  fuel  at  each  storage  location  is  10  barrels,  and  that 
each  link  can  carry  up  to  15  barrels  of  fuel. 

The  operator  of  this  infrastructure  system  makes 
decisions  about  how  to  manage  fuel  flows  based  on 
costs.  Specifically,  assume  the  operator  faces  a  con¬ 
tractual  penalty  of  $10  per  barrel  for  each  location 
that  does  not  receive  its  demanded  fuel.  In  addition, 
assume  that  the  per-unit  cost  to  send  fuel  over  a  sin¬ 
gle  link  is  $1  per  barrel. 

The  operator’s  objective  is  to  route  the  available 
fuel  so  as  to  minimize  the  sum  of  all  delivery  costs 


and  penalty  costs  for  the  system.  This  task  is  compli¬ 
cated  by  the  fact  that  one  or  more  of  the  links  in  this 
system  can  be  broken  (equivalently,  failed,  lost,  at¬ 
tacked,  or  interdicted).  The  operator  faces  the  same 
objective  even  when  there  are  broken  links  in  the 
system — in  this  case,  she  must  do  the  best  she  can  to 
minimize  the  sum  of  delivery  costs  and  penalties  with 
the  surviving  distribution  network. 

We  define  the  Operator  Model  as  a  constrained 
optimization  problem  of  the  following  form: 

min  f{x,  y),  (1) 

yeTl-t) 

where  x  is  a  vector  that  collectively  represents 
whether  each  of  the  components  (the  links  in  our 
example)  in  the  system  is  working  or  broken  (also 
called  the  operating  state),  the  set  Y(x)  represents 
the  feasible  actions  of  the  operator  (here,  allowable 
flows)  for  given  state  x  of  the  system,  and  f{x,  y) 
is  a  function  that  measures  the  performance  (here, 
the  cost)  that  results  from  the  choice  of  activities 
y.  The  operations  research  literature  is  filled  with 
such  models,  although  most  do  not  explicitly  pa¬ 
rameterize  damage.  Appendix  A  presents  a  formal 
mathematical  representation  of  the  Operator  Model 
for  this  example. 

Given  the  potential  for  broken  links,  the  network 
in  Fig.  1(a)  has  been  constructed  so  as  to  be  A  —  1  re¬ 
liable  (a  standard  notion  in  system  reliability,  where 
N  denotes  the  total  number  of  system  components), 
meaning  that  a  single  broken  link  cannot  disconnect 
any  node  in  the  network.  In  particular,  there  are  two 
sources  of  fuel,  and  three  of  the  locations  (labeled 
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as  nodes  3,  4,  and  16)  are  each  connected  by  parallel 
links  so  a  single  break  does  not  disconnect  them. 

Figure  1(b)  shows  the  minimum-cost  flows  to 
deliver  fuel  to  each  location  when  there  is  no  bro¬ 
ken  link;  this  is  the  baseline  solution  to  the  Opera¬ 
tor  Model.  This  system  is  balanced  and  has  excess 
capacity — each  of  the  sources  are  supplying  50%  of 
the  total  demand  (7  of  14  units  demanded),  and  each 
has  30%  reserve  storage  beyond  what  is  delivered 
(using  7  of  10  units  of  available  fuel). 

3.  ASSESSING  THE  RISK  OE  POSSIBLE 
DISRUPTIONS 

An  operational  model  of  infrastructure  behavior 
allows  us  to  systematically  evaluate  how  the  system 
will  respond  to  any  disruption  (defined  in  terms  of 
the  simultaneous  loss  of  one  or  more  system  compo¬ 
nents)  and  then  measure  the  consequence  in  terms 
of  a  change  in  system  function.  The  key  question 
becomes:  What  kinds  of  disruption  scenarios  are  of 
most  concern? 

3.1.  Nondeliberate  Hazards  Versus 

Deliberate  Threats 

In  practice,  infrastructure  owners  and  operators 
must  contend  with  both  nondeliberate  hazards  (e.g., 
accidents,  failures,  and  Mother  Nature)  and  delib¬ 
erate  threats  (e.g.,  vandalism,  sabotage,  competitors, 
and  terrorism).  The  study  of  failures  in  technological 
systems  has  yielded  an  extensive  literature  on  system 
reliability  The  broader  study  of  risk  in  the  con¬ 
text  of  nondeliberate  hazards  has  resulted  in  a  large 
literature  in  probabilistic  risk  analysis  (PRA)  that  de¬ 
fines  possible  future  scenarios,  assigns  a  probability 
to  each  scenario,  estimates  the  consequence  associ¬ 
ated  with  each  scenario,  and  then  aggregates  this  in¬ 
formation  into  one  or  more  measures  of  risk,  such  as 
expected  value,  value  at  risk,^^®^  or  conditional  value 
at  risk.*^^^  PRA  has  been  particularly  successful  when 
applied  to  nondeliberate  hazards  for  which  there  are 
data  or  models  that  can  be  used  to  assess  the  required 
probabilities.  In  some  cases,  these  data  may  be  his¬ 
torical  (e.g.,  weather  records,  failure  statistics,  actu¬ 
arial  statistics,  and  accident  reports)  or  can  be  ob¬ 
tained  via  experiment  (e.g.,  laboratory  stress  testing 
to  evaluate  the  mean  time  between  failures).  For  so- 
called  rare  events  there  is  ongoing  debate  about  how 
to  model  the  frequencies  with  which  disruptions  oc¬ 
cur  (e.g.,  earthquakes^^®’^®^),  and  this  is  an  active  area 
of  research. 
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Following  the  attacks  of  September  11,  2001, 
there  was  a  shift  in  national  priority  from  assessing 
nondeliberate  hazards  to  preventing  and  protecting 
against  deliberate  threats,  and  the  study  of  risk 
in  national  security  problems  has  been  controver¬ 
sial  ever  since.  Pate-Cornell  and  Guikema^^®^  are 
among  the  first  to  apply  the  techniques  of  PRA  to 
terrorism  risk.  Many  papers  follow,^^^"^^^  often  using 
simplified  models  that  rely  on  the  definition  “Risk  = 
Threat  (T)  x  Vulnerability  (V)  x  Consequence 
(C),”  where  subject  matter  experts  assess  the  threat 
and  vulnerability  terms  as  probabilities,  and  the 
consequence  term  in  units  of,  for  example,  economic 
replacement  cost,  or  fatalities. When  applied 
to  critical  infrastructure,  the  notion  is  to  assess 
adversary  intent  as  “threat”^^®^)  and  then  rely  on 
such  assessments  for  proposed  methods  to  optimize 
defense. DHS  has  promoted  PRA,  including 
models  based  on  the  (T,V,C)  construct,  for  assessing 
the  threats  posed  by  intelligent  adversaries  in  a 
terrorist  attack. 

The  National  Research  Council  (NRC)  has, 
however,  criticized  the  use  of  probabilities  to 
model  the  behavior  of  an  intelligent,  goal-oriented 
terrorist. Additional  work  has  raised  concerns 
about  terrorism  risk  models  based  on  (T,V,C).  For 
instance,  with  a  number  of  examples,  Cox^'*"^^  illus¬ 
trates  how  these  models  can  render  nonsensical  ad¬ 
vice.  Cox^"^^*  further  notes  the  deficiency  of  T,  V,  and 
C  values  as  inputs  when  the  probabilities  are  corre¬ 
lated,  and  Cox^"^®^  also  points  out  that  because  the 
values  for  V  and  C  really  depend  on  the  allocation 
of  effort  by  both  the  attacker  and  defender,  they  do 
not  make  sense  as  independent  inputs.  Brown  and 
Cox^"^^48)  (jefail  several  ways  in  which  probabilistic 
assessment  of  terrorism  risk  can  mislead  analysts, 
and  they  explain  why  it  is  impossible  for  a  defender 
to  possess  information  essential  to  assess  terrorist 
intent. 

Without  revisiting  the  arguments  on  both  sides 
of  this  debate,  we  comment  on  a  few  issues  most 
relevant  to  the  resilience  of  infrastructure  systems. 
First  and  foremost,  if  using  a  (T,V,C)-style  of  analysis 
for  an  infrastructure  system,  one  cannot  assume  that 
the  consequence  associated  with  the  loss  of  a  set  of 
components  is  simply  the  sum  of  the  consequences 
associated  with  the  loss  of  individual  components. 
In  general,  ignoring  the  dependencies  between  the 
components  of  a  system  can  be  misleading.  Rather, 
one  should  be  considering  scenarios  involving  the 
loss  of  sets  of  components.  In  some  risk  analyses,  the 
“components”  of  the  system  are  themselves  built  of 
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(c) 


Rank  Consequence  Links 


1 

+8 

[10,13] 

2 

+7 

[2,7] 

3 

+5 

[7,8] 

4 

+4 

[9,13] 

T5 

+2 

[8,12],  [10,11] 

T7 

+1 

[1,2],  [5,9],  [6,10],  [11,15],  [13,14] 

All  other  links  result  in  zero  consequence  if  broken: 
[1,5],  [2,3],  [4,8],  [6,7],  [11,12],  [12,16],  [14,15] 


Fig.  2.  A  break  on  a  single  link  in  this  network  incurs  additional  operating  cost,  but  does  not  prevent  fuel  from  being  delivered  to  each 
location,  (a)  A  break  on  link  [7,  8]  results  in  an  increased  operating  cost  of  32.  (b)  A  break  on  link  [10, 13]  is  the  worst-possible  interdiction 
of  a  single  link  and  results  in  total  cost  of  33;  in  this  case,  there  are  multiple  ways  the  operator  can  reroute  flows  and  achieve  this  cost, 
(c)  This  table  lists  the  links,  if  interdicted  individually,  that  yield  the  greatest  consequence,  in  rank  order.  “T5”  and  “T7”  denote  ties  for 
fifth-worst  and  seventh-worst,  respectively. 


elements,  modeled,  and  evaluated  by  any  of  a 
number  of  probabilistic  models. But  this  is  not 
current  practice  in  many  implementations  of  PRA 
for  critical  infrastructure  systems.  We  therefore 
caution  against  the  use  of  simplistic  (T,V,C)-style 
modeling  for  the  study  of  deliberate  threats  to 
critical  infrastructure,  and  especially  for  assessing 
infrastructure  resilience. 

Second,  our  operational  view  of  infrastructure 
function  is  agnostic  to  the  source  of  a  disruption — 
once  one  or  more  components  are  lost,  the  operator’s 
focus  is  on  doing  the  best  she  can  to  maintain  func¬ 
tion  with  whatever  is  left  of  the  system. 

Third,  by  narrowing  the  set  of  potential  disrup¬ 
tions  to  the  simultaneous  loss  of  one  or  more  (known, 
and  finite)  components,  it  becomes  possible,  in  princi¬ 
ple,  to  search  over  the  scenarios  of  concern.  Although 
the  size  of  this  set  can  be  too  large  to  allow  this 
in  practice,  it  creates  the  opportunity  for  a  different 
style  of  analysis,  as  we  now  describe. 


3.2.  Using  the  Operator  Model  to 

Assess  Disruptions 

Given  the  Operator  Model  (Equation  (1)),  we 
can  explicitly  consider  the  consequence  of  any  po¬ 
tential  disruption  (i.e.,  loss  of  links  in  our  notional 
infrastructure)  by  changing  x  and  re-solving  for  the 
minimum-cost  response.  For  example,  consider  a 
break  in  the  link  [7,  8]  as  shown  in  Fig.  2(a).  This  link 
previously  carried  40%  of  the  total  system  flow  in  the 
baseline  solution.  In  response  to  this  break,  and  un¬ 
der  the  assumptions  of  this  example,  the  system  op¬ 
erator  is  able  to  reroute  flows  through  the  network  in 


order  to  still  satisfy  all  customers;  however,  the  total 
cost  to  do  so  increases  from  25  to  32. 

Although  the  network  is  A  —  1  reliable,  suppose 
the  operator  is  concerned  about  the  worst-case  loss 
(break)  of  a  single  link  because  it  will  create  the  need 
to  reroute  flows  and  possibly  incur  greater  cost.  One 
way  to  And  the  worst  single-link  loss  in  the  system  is 
to  exhaustively  enumerate  each  possible  interdiction, 
re-solving  Equation  (1)  each  time,  and  then  identify¬ 
ing  the  possible  interdiction  that  results  in  the  highest 
operating  cost. 

Another  way  to  get  at  this  is  to  consider  a 
hypothetical  intelligent  adversary  (an  attacker) 
who  has  perfect  knowledge  of  the  system  and  uses 
limited  resources  to  deliberately  damage  the  system. 
From  the  operator’s  perspective,  the  attacker  could 
be  Mother  Nature,  a  terrorist,  simple  bad  luck, 
or  anything  else  that  causes  the  simultaneous  loss 
of  components;  the  operator  is  concerned  with 
running  the  system  in  the  best  possible  manner 
following  the  loss  of  these  components.  Although 
our  exposition  sometimes  personifies  the  attacker, 
we  emphasize  that  our  purpose  is  simply  to  discover 
worst-case  component  losses,  not  model  the  actual 
decision  making  of  any  particular  adversary  (e.g., 
Al-Qaeda). 

Suppose  the  attacker  has  the  ability  to  target  a 
single  link.  Which  one  should  he  break  to  maximize 
the  costs  incurred  by  the  operator?  We  formulate  this 
Attacker  Model  mathematically  as  follows: 

y)’  (2) 

yey(x) 

where  now  x  is  a  decision  variable  belonging  to 
the  attacker,  and  X  represents  the  set  of  all  possi¬ 
ble  single-link  attacks.  Given  any  particular  choice 
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of  attack  x,  the  operator  still  faces  the  same  cost 
minimization  (Equation  (1)),  now  with  an  objective 
function  /(x,  y)  and  a  set  of  feasible  actions  y  e 
y(x).  Thus,  this  Attacker  Model  (Equation  (2))  is 
almost  identical  to  the  prior  model  (1),  except  that 
the  state  parameters  x  have  become  decision  vari¬ 
ables  for  the  attacker,  and  we  have  put  restrictions 
on  the  choice  of  disruption.  Models  of  this  form 
have  been  studied  in  the  context  of  attacker-defender 
optimization.^^'’’ 

Appendix  B  provides  a  complete  mathematical 
formulation  for  the  Attacker  Model  in  this  example. 
For  our  notional  infrastructure,  the  worst-case  single¬ 
link  disruption  is  the  loss  of  link  [10, 13],  which  results 
in  a  total  operating  cost  of  33  (Fig.  2(b)).  The  table  in 
Fig.  2(c)  lists  the  links,  if  interdicted  individually,  that 
yield  the  greatest  consequence,  in  rank  order. 

An  important  contribution  in  the  development 
of  attacker-defender  optimization  problems  is  their 
connection  to  game  theory  Specifically,  the 
mathematical  program  (Equation  (2))  is  a  two-stage 
sequential-play  game  in  which  the  attacker  moves 
first,  and  then  the  operator  (or  defender)  moves  sec¬ 
ond.  These  are  known  as  Stackelberg  games. 

If  all  of  the  decision  variables  for  the  attacker 
and  defender  are  discrete,  our  formulation  (2)  is 
equivalent  to  a  sequential  matrix  game  of  the  clas¬ 
sical  layout,  where  in  the  first  stage  the  attacker 
chooses  a  row  of  the  payoff  matrix  by  choosing  a 
particular  attack  plan,  and  then  the  operator  (or  de¬ 
fender)  chooses  a  column  through  his  choice  of  a  spe¬ 
cific  operating  plan.  However,  instead  of  enumerat¬ 
ing  all  of  the  pure  strategies  for  each  player  at  each 
stage  of  the  game,  we  represent  those  (potentially 
enormous)  sets  of  pure  strategies  implicitly  through 
a  set  of  decision  variables  and  constraints:  the  ex¬ 
ponential  number  of  feasible  solutions  to  this  con¬ 
strained  optimization  model  represent  the  possible 
pairs  of  strategies  for  the  two  players. 

This  implicit  representation  of  the  strategy 
spaces  allows  us  a  great  deal  of  power  in  modeling 
the  behavior  of  the  two  players.  We  can  impose  any 
number  of  budget  restrictions  on  each  player  (e.g., 
time,  money,  labor,  explosives,  or  other  materials), 
and  we  can  also  add  constraints  that  preclude  illog¬ 
ical  (or  physically  impossible)  combinations  of  de¬ 
cisions,  and  in  this  way  we  can  represent  extremely 
complex  decision  spaces  with  only  slightly  more  mod¬ 
eling  effort. 

The  ability  to  solve  attacker-defender  problems 
in  this  manner  also  has  implications  on  how  we  assess 
the  resilience  of  such  infrastructure  systems. 
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4.  ASSESSING  AND  IMPROVING 
RESILIENCE 

Resilience  has  recently  become  an  important 
topic  in  discussions  about  the  way  that  systems  of  all 
kinds  respond  to  both  nondeliberate  hazards  and  de¬ 
liberate  threats.  This  section  describes  how  our  oper¬ 
ational  view  of  infrastructure  function  naturally  leads 
to  a  precise  and  quantifiable  notion  of  “operational 
resilience,”  and  we  describe  how  our  optimization- 
based  attacker-defender  models  lend  themselves  to 
characterizing  it  in  a  way  that  facilitates  model  verifi¬ 
cation,  validation,  and  reproducible  results — features 
that  are  essential  to  making  the  study  of  resilience 
more  scientifically  rigorous. 

4.1.  Notions  of  Resilience 

Park  et  provide  a  partial  survey  and 

summary  of  the  growing  literature  on  resilience  and 
its  relationship  to  the  study  of  risk.  They  report  how 
use  of  the  term  “resilience”  in  engineering  systems 
followed  the  foundational  work  of  Holling^^^^  in 
ecology,  with  considerable  growth  in  the  number  of 
papers  in  the  last  decade  that  relate  to  resilience  in 
engineering,  physics,  and  mathematics.  Hollnagel 
et  provide  an  early  treatment  of  “resilience 

engineering”  that  builds  on  the  study  of  system 
safety.  As  noted  by  Madni  and  Jackson,^^^^  an 
important  contribution  in  this  early  work  is  the 
argument  that  “safety  is  something  (that  results 
from  what)  a  system  or  an  organization  does,  rather 
than  something  a  system  or  an  organization  has." 
As  a  result,  much  of  this  literature  stresses  the  need 
to  study  safety  as  a  process  instead  of  safety  as  a 
property  of  the  system  itself.  The  study  of  resilience 
in  engineering  systems  has  followed  this  lead,  in  the 
sense  that  resilience  is  viewed  as  an  expression  of 
system  behavior  in  response  to  an  event  rather  than 
something  inherent  to  the  system  itself. 

A  complicating  factor  in  previous  attempts  to  de¬ 
fine  resilience  is  the  recognition  that  “[rjesilience  is  a 
family  of  related  ideas,  not  a  single  thing. Zolli 
and  Healy(®°^  provide  perhaps  the  most  comprehen¬ 
sive  and  provocative  discussion  of  the  myriad  no¬ 
tions  of  resilience.  Nonetheless,  a  common  feature 
across  many  definitions  of  engineering  resilience  is 
the  ability  of  the  system  to  adapt  in  response  to  a 
disruption. Importantly,  Park  et  ob¬ 

serve  that  in  a  resilient  system  the  result  of  this  adap¬ 
tation  is  “the  persistence  of  relationships,  rather  than 
stability  in  quantitative  measures  of  state  variables.” 


570 


Alderson,  Brown,  and  Carlyle 


Thus,  a  distinguishing  feature  of  resilience  is  adap¬ 
tation  in  the  way  that  components  work  together  to 
achieve  persistence  in  these  relationships.  Our  notion 
of  operational  resilience  is  consistent  with  these  ideas 
in  the  sense  that  our  focus  is  persistence  in  the  ability 
of  a  system  to  function,  over  time,  in  the  presence  of 
disruptions. 

Park  et  further  comment  on  why  resilience 
in  engineering  systems  should  be  different  from  that 
in  ecology,  and  why  it  is  distinct  and  complementary 
from  the  study  of  risk.  They  argue  that  the  emer¬ 
gent,  nonlinear,  self-organizing  features  in  coupled 
complex  systems  make  hazard  identification  difficult 
if  not  impossible,  that  assessing  the  probabilities  of 
harm  may  be  unknowable,  and  that  “we  have  a  poor 
understanding  of  how  failures  propagate  and  amplify 
within  and  across  complex  systems.”  Although  we 
agree  with  the  notion  of  resilience  “not  as  some¬ 
thing  a  system  has,  but  a  characteristic  of  the  way 
it  behaves,”  we  take  issue  with  the  claim  that  engi¬ 
neering  resilience  in  a  system  “cannot  be  predicted 
or  calculated  from  aggregation  of  the  individual  sys¬ 
tem  components. Modern  infrastructure  systems 
are  complicated,  and  they  can  also  exhibit  features 
of  complexity  (see  Ottino^®"^)  for  a  discussion  of  the 
distinction  between  “complicated”  and  “complex”); 
however,  designating  an  infrastructure  as  a  “com¬ 
plex  system”  does  not  mean  that  we  are  at  the  mercy 
of  nonlinear,  emergent  chaos  or  self-organization. 
Rather,  the  fundamental  belief  underlying  our  Op¬ 
erator  Model  is  that  by  capturing  the  essential  ob¬ 
jectives  and  constraints  driving  system  behavior,  we 
build  a  representation  that  is  explanatory  and  not 
merely  descriptive,  in  the  sense  of  Willinger  et  al. 
and  that  this  representation  will  therefore  have  su¬ 
perior  predictive  power  for  assessing  the  “what-ifs” 
associated  with  disruption. 

In  the  last  decade,  there  have  been  consider¬ 
able  efforts  within  the  engineering  community  to  as¬ 
sess  the  resilience  of  infrastructure  systems.  Haimes 
et  alS^^  observe  that  “[o]ne  approach  to  measuring 
the  resilience  of  an  infrastructure  is  to  predict  the 
trajectory  of  recovery  time  following  a  catastrophic 
event.”  Reed  et  present  resilience  scoring  met¬ 
rics  and  build  on  the  work  of  Haimes^^®^  in  using 
input-output  models  to  measure  the  resilience  of  in¬ 
terconnected  systems.  These  ideas  have  been  preva¬ 
lent  in  the  civil  engineering  literature,  particularly  in 
assessing  the  resilience  of  freight  transportation^®®  ®®* 
and  its  dependence  on  maritime  systems, with 
emphasis  to  evaluate  the  resilience  of  transportation 
networks  after  a  disaster.^^^’^®* 


Using  ideas  from  control  theory,  Vugrin  et 
characterize  resilience  in  terms  of  the  deviation  (both 
magnitude  and  duration)  from  “normal”  operation 
that  follows  a  disruptive  event;  in  this  context,  a  sys¬ 
tem  is  more  resilient  if  it  experiences  smaller  devi¬ 
ations.  Vugrin  et  use  their  definition  to  assess 
the  resilience  of  the  U.S.  petrochemical  sector  in  re¬ 
sponse  to  two  hypothetical  hurricane  scenarios  in  the 
Gulf  Coast  region.  Rose^^®“^®*  has  studied  economic 
resilience  to  disasters  in  terms  of  distinct  phases  of 
service  restoration  and  economic  recovery  over  time. 

Despite  recent  efforts  to  develop  common 
resilience  metrics  across  infrastructure  systems, 
Haimes*®®*  cautions  against  the  use  of  scoring  for 
system  resilience:  “attempts  to  characterize  the  re¬ 
silience  of  a  system  with  a  specific  numerical  descrip¬ 
tor  (as  a  metric)  and  to  use  the  metric  to  compare  the 
resilience  of  different  systems  could  be  misleading” 
because  of  the  differences  in  operating  environments 
for  different  infrastructure  systems. 

As  noted,  resilience  has  become  an  important 
concept  in  discussions  about  homeland  security  and 
defense.  A  March  2010  report  by  the  U.S.  Govern¬ 
ment  Accountability  Office  (GAO)*^®*  traces  the  his¬ 
tory  in  the  definition  and  use  of  resilience  in  the  U.S. 
government’s  official  documents  on  homeland  secu¬ 
rity  and  also  details  the  increased  role  of  resilience  in 
the  updated  2009  National  Infrastructure  Protection 
Plan.  DHS  currently  defines  resilience  as  the  “abil¬ 
ity  to  adapt  to  changing  conditions  and  prepare  for, 
withstand,  and  rapidly  recover  from  disruption.”*®®* 
Outside  the  government,  Flynn*®^*  points  to  vul¬ 
nerabilities  that  threaten  our  national  welfare  and 
provocatively  asks  how  the  United  States  can  rebuild 
itself  into  a  more  resilient  nation. 

Despite  this  recent  flurry  of  activity,  a  key  chal¬ 
lenge  remains  how  to  define  resilience  in  a  manner 
that  is  (1)  quantitative  and  rigorous  enough  for  ob¬ 
jective  and  precise  assessment,  (2)  flexible  enough  to 
capture  many  facets  of  resilience  already  under  dis¬ 
cussion  by  researchers,  and  (3)  connected  to  the  op¬ 
erational  details  of  the  system  under  study  so  that 
proposed  system  changes  can  be  naturally  evaluated 
and  actually  implemented.  We  proceed  in  direct  sup¬ 
port  of  this  objective. 


4.2.  Assessing  Operational  Resilience 

Resilience  is  fundamentally  about  the  behavior 
of  a  system  in  response  to  a  disruption.  Our  focus 
on  infrastructure  systems  and  use  of  an  Operator 
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Fig.  3.  Worst-case  simultaneous  interdictions,  (a)  The  worst-case  single  interdiction  is  of  link  [10,  13],  resulting  in  a  total  cost  of  33.  In  this 
case,  the  flow  cost  increases  but  all  nodes  are  still  served,  (b)  The  worst-case  simultaneous  two-link  interdiction  is  of  links  [2,  7]  and  [9, 13], 
which  denies  nodes  1,  2,  3,  5,  and  9  (now  shaded)  any  flow.  The  total  cost  is  62  (=12  -I-  50),  most  of  which  is  unmet  demand  penalty  cost,  (c) 
The  worst-case  simultaneous  three-link  interdiction  is  of  links  [2,  7],  [10,  13],  and  [11,  15],  resulting  in  a  total  cost  of  87  (=7  -I-  80).  (d)  The 
worst-case  simultaneous  four-link  interdiction  is  of  links  [2,  7],  [8,  12],  [10,  11],  and  [10,  13],  resulting  in  a  total  cost  of  113  (=3  -I-  110).  (e) 
The  worst-case  simultaneous  five-link  interdiction  is  of  links  [6,  10],  [7,  8],  [8,  12],  [10,  11],  and  [10,  13],  resulting  in  a  total  cost  of  131  (=1 
-I-  130).  (f)  The  worst-case  (rank  1)  attack  for  1-5  simultaneous  interdictions  increases  approximately  linearly.  The  second-worst  (rank  2) 
through  fifth-worst  (rank  5)  attacks  do  less  damage,  but  all  are  significantly  worse  than  the  baseline  (no  interdiction)  case  that  has  operating 
cost  25. 


Model  to  represent  infrastructure  behavior  requires 
us  to  define  the  system  in  question,  specify  its  com¬ 
ponents,  and  provide  an  unambiguous  measure  of 
system  performance.  In  this  section,  we  show  how 
our  dehnition  of  operational  resilience — that  is,  the 
ability  of  a  system  to  adapt  its  behavior  to  maintain 
continuity  of  function  (or  operations)  in  the  presence 
of  disruptions — can  be  assessed  in  a  straightforward 
manner  by  performing  parametric  analysis  using  our 
Attacker  Model. 

Alderson  et  alS^'^  introduce  the  notion  of  a  re¬ 
silience  curve  as  that  which  plots  the  best  achievable 
worst-case  performance  of  a  system  as  a  function  of 
the  disruption  “magnitude”  that  we  measure,  for  ex¬ 
ample,  in  terms  of  the  number  of  simultaneously  lost 
components.  The  usefulness  of  a  resilience  curve  is 
based  on  two  underlying  ideas.  First,  by  classifying 
disruptions  in  terms  of  the  number  of  lost  compo¬ 
nents,  we  obtain  a  natural  mechanism  for  considering 
disruptions  that  range  from  “small”  to  “large.”  This 


is  important  in  comparing  different  systems  because 
the  way  that  each  responds  to  disruptions  of  different 
sizes  can  be  dramatically  different  and  even  make  it 
difficult  to  say  which  one  is  “more  resilient”  (for  a  de¬ 
tailed  discussion,  see  Alderson  et  alPl).  Second,  for 
any  particular  magnitude  of  disruption,  we  conser¬ 
vatively  focus  on  the  worst-case  loss  of  components. 
Thus,  our  notion  of  the  “worst-case”  component  loss 
is  always  implicitly  conditioned  on  some  admissible 
set  of  combinations  of  lost  components.  Most  simply, 
we  often  consider  the  set  defined  by  the  maximum 
number  of  lost  components  (i.e.,  a  cardinality  con¬ 
straint),  but  this  generalizes  to  any  notion  of  “bud¬ 
get”  including  an  explicit  list  of  attack  options  that 
are  affordable  to  a  specific  attacker.  We  hnd  this  pa¬ 
rameterization  to  be  of  more  practical  value  than  the 
“absolute  worst-case,”  which  reasonably  might  cor¬ 
respond  to  the  simultaneous  loss  of  all  components. 

With  this  in  mind,  consider  the  worst-case  dis¬ 
ruption  in  our  notional  example  associated  with  the 
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simultaneous  loss  of  from  one  to  five  links  (Fig.  3). 
Specifically,  in  the  presence  of  the  worst-case  loss 
of  a  single  link  (Fig.  3(a)),  our  network  is  able  to 
reroute  flows  in  order  to  satisfy  demand  at  all  nodes. 
However,  the  worst-case  loss  of  two  and  more  links 
(Figs.  3(b)-(e))  effectively  isolates  nodes  and  incurs 
escalating  operating  costs  (Fig.  3(f)),  due  primarily  to 
the  model  penalties  for  unmet  demand.  The  frontier 
associated  with  the  worst-case  losses  of  one-to-five 
links  (black  bars  in  Fig.  3(f))  is  our  “resilience  curve” 
for  this  example;  here,  it  shows  that  an  attacker  can 
get  approximately  linear  returns  for  each  additional 
attack. 

The  relative  shape  of  this  “curve”  reveals  a  lot 
about  the  resilience  of  the  system.  We  would  say  that 
a  system  for  which  operating  costs  grow  more  quickly 
with  the  number  of  lost  components  is  “less  resilient” 
than  our  example,  and  that  a  system  whose  operating 
costs  grow  less  quickly  with  the  number  of  lost  com¬ 
ponents  is  “more  resilient.” 

We  obtain  the  results  in  Fig.  3  by  solving  the 
Attacker  Model  (Equation  (2))  with  a  simple  con¬ 
straint  on  the  feasible  number  of  attacks,  which  we 
vary  parametrically  from  k  =  1  to  k  =  5  total  attacks 
(see  Appendix  B  for  details).  Fig.  3(f)  also  shows 
the  operating  costs  associated  with  the  second-worst 
(i.e.,  rank  order  2)  through  fifth-worst  (rank  order 
5)  combination  of  losses  for  each  magnitude  of  dis¬ 
ruption.  In  principle,  obtaining  these  rank-ordered 
disruptions  is  no  more  complicated  than  exhaustively 
enumerating  each  possible  loss  of  k  components  and 
then  sorting  by  consequence.  However,  due  to 
the  large  number  of  combinations,  in  practice  it 
is  more  efficient  to  solve  the  Attacker  Model  re¬ 
peatedly,  each  time  with  an  additional  constraint 
that  eliminates  the  previous  solution  from  further 
consideration  (see  example  SI  on  p.  156  of  Brown 
and  Dell*®^^).  Discovering  the  worst,  second-worst, 
third-worst,  etc.,  disruptions  has  important  practical 
considerations  for  assessing  system  resilience  and  ad¬ 
vising  defensive  investment.  If  there  is  only  a  single 
unique  worst-case  disruption  with  consequence  that 
is  much  larger  than  the  second-worst,  then  defending 
against  that  single  disruption  might  be  sufficient  to 
dramatically  increase  the  resilience  of  the  system.  In 
contrast,  if  the  worst-case  disruption  is  not  unique 
but  is  accompanied  by  many  equally  bad  ones,  then 
defending  against  only  one  of  them  is  unlikely  to  help 
at  all. 

Thus,  an  analysis  of  infrastructure  function  using 
the  attacker-defender  technique  leads  to  a  natural 
characterization  of  operational  resilience. 


4.3.  Improving  Operational  Resilience 

Our  ultimate  goal  is  not  just  defining  and  assess¬ 
ing,  but  improving  operational  resilience  of  our  in¬ 
frastructure  systems.  In  the  context  of  our  Operator 
Model,  this  means  mitigating  the  worst-case  operat¬ 
ing  cost  that  can  result  from  the  simultaneous  loss  of 
components.  However,  doing  so  will  require  invest¬ 
ment,  and  our  ability  to  spend  on  improvements  will 
be  constrained  by  limited  resources.  To  quantify  this 
decision,  we  formulate  this  Defender  Model  mathe¬ 
matically  as  follows: 

minmax  min  f(w,  x,  v),  (3) 

w€W  xeJf  y€y(w,x) 

where  w  is  a  decision  variable  representing  defensive 
investments,  and  W  represents  the  set  of  feasible  in¬ 
vestments.  These  investments  potentially  change  the 
operating  cost  /(w,  x,  y)  faced  by  the  operator,  as 
well  as  the  set  of  feasible  actions  y  e  Y(w,  x).  Mod¬ 
els  of  this  form  have  been  studied  in  the  context 
of  defender-attacker-defender  optimizationf^’^^^  Ap¬ 
pendix  C  provides  a  complete  mathematical  formu¬ 
lation  for  the  Defender  Model  in  this  example. 

4.3.1.  Protection 

We  consider  two  defensive  strategies  for  im¬ 
proving  operational  resilience.  First,  assume  we  have 
the  ability  to  protect  (equivalently,  “harden”)  a  link 
so  that  it  is  invulnerable  to  loss.  For  our  notional 
attacker,  this  means  that  an  attack  on  the  protected 
component  will  not  affect  system  performance.  In 
order  to  identify  the  worst-case  disruption  in  the 
presence  of  protection,  we  further  assume  that  this 
attacker  can  see  which  links  have  been  protected 
before  he  decides  what  to  attack.  Given  some  limited 
ability  to  defend  links  in  this  way,  which  links  should 
we  protect,  and  how  will  this  change  the  worst-case 
attack  and  the  resulting  consequence? 

Fig.  4  displays  the  optimal  defenses  against  a 
given  number  of  attacks.  Each  row  corresponds  to  a 
single  link  in  our  notional  infrastructure.  Each  col¬ 
umn  corresponds  to  a  scenario  involving  a  speci¬ 
fied  number  of  defenses  and  attacks.  The  column 
values  for  each  scenario  represent  the  optimal  de¬ 
fenses  (denoted  as  “O”)  against  that  number  of  at¬ 
tacks,  as  well  as  the  worst-case  attacks  (denoted 
as  “X”)  in  response  to  those  defenses.  Fig.  5  illus¬ 
trates  in  more  detail  the  optimal  defenses  against  the 
worst-case  attack  on  three  links.  Here  we  obtain  in¬ 
sight  into  the  strategy  for  defensive  protection — the 
optimal  defense  is  one  that  “breaks  up  the  set  of 
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Fig.  4.  Optimal  defensive  “hardening”  of  links  can  mitigate  the  worst-case  attack.  Here,  an  “O”  represents  the  protection  of  a  link,  and  an 
“X”  represents  an  attack.  For  a  given  number  of  attacks,  an  optimal  defense  “breaks  up”  the  worst-case  set  of  attacks,  and  the  attacker  finds 
the  next-worst  set  of  attacks.  The  case  of  three  attacks  is  additionally  illustrated  in  Fig.  5.  Scanning  across  rows  here  reveals  that  the  links  in 
this  network  cannot  be  ranked  in  a  simple  priority  list  of  importance;  however,  the  frequency  with  which  a  link  appears  in  attack  or  defense 
solutions  provides  an  indication  of  relative  importance.  The  bottom  row  shows  the  optimal,  postattack  operating  cost  for  each  scenario. 


attacks”  that  yield  the  worst-case  operating  cost.  For 
our  notional  example,  the  high  penalty  costs  associ¬ 
ated  with  unmet  demand  means  that  the  worst-case 
attack  is  the  one  that  disconnects  as  many  nodes 
as  possible.  The  optimal  defense  prevents  this  by 
ensuring  that  as  many  nodes  stay  connected  as  pos¬ 
sible,  even  in  the  presence  of  three  interdicted  links. 

This  general  pattern  is  observed  throughout 
Fig.  4.  Moving  from  left  right  for  a  hxed  number  of 
attacks,  each  successive  column  could  be  interpreted 
as  a  type  of  iterative  fictitious  play — in  which  the  at¬ 
tacker  selects  an  attack  set,  the  defender  protects  a 
link  to  “break  up”  the  attack  set,  then  the  attacker 
selects  a  new  attack  set,  after  which  the  defender 
protects  another  link  to  counter  that  attack  set,  and 
so  on — that  is  used  to  obtain  the  final  solution  to 
that  specihc  combination  of  attacks  and  defenses. 
We  emphasize,  however,  that  the  actual  “game”  be¬ 
ing  played  here  has  only  three  stages:  the  defender 
moves  first  by  protecting  some  links,  the  attacker  se¬ 
lects  the  vulnerable  links  to  interdict,  and  the  op¬ 
erator  runs  the  residual  system  as  best  she  can  to 
minimize  operating  costs  of  the  surviving  system.  The 
solution  for  each  column  is  obtained  by  solving  an 
instance  of  our  Defender  Model  (Equation  (3))  with 
the  corresponding  number  of  defenses  and  attacks. 


Fig.  4  also  reports  the  resulting  postattack  op¬ 
erating  cost  for  each  scenario.  We  illustrate  these 
in  Fig.  6  as  the  resilience  curves  associated  with  in¬ 
creased  defenses.  In  the  absence  of  protection,  af¬ 
ter  the  first  attack,  the  postattack  operating  costs 
(for  our  simple  example)  grow  approximately  lin¬ 
early  with  the  number  of  attacks. 

In  the  case  where  all  attacks  are  equally  costly, 
the  resilience  curve  for  an  infrastructure  can  also  be 
viewed  as  a  simplihed  form  of  the  attacker’s  return  on 
investment  (ROI).  For  our  simple  example,  the  linear 
shape  of  this  curve  is  not  good  news  for  the  opera¬ 
tor.  Fortunately  for  this  system,  with  each  additional 
defense  this  curve  becomes  less  steep,  reflecting  the 
fact  that  attacks  become  less  effective.  Thus,  protect¬ 
ing  links  in  this  manner  improves  the  resilience  of  the 
system — the  system  denies  consequences  to  the  at¬ 
tacker,  no  matter  his  actions. 

4.3.2.  New  Construction 

Another  strategy  for  creating  resilience  in  an 
infrastructure  system  is  to  augment  it  with  new 
construction.  Specifically  for  our  notional  example, 
assume  we  have  the  ability  to  build  any  of  the 
dashed-line  links  shown  in  Fig.  7(a)  and  that  any 
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Fig.  5.  Protecting  links  mitigates  a  worst-case  three-link  attack.  Panels  (a)-(f)  display  a  worst-case  attack  on  three  links  in  the  presence  of 
0-5  defenses,  respectively.  In  the  case  of  three  attacks,  the  defensive  importance  of  individual  links  follows  a  simple  priority  list:  [10, 13,  7, 
8, 10, 11,  2,  7,  9, 13],  With  each  additional  defense,  the  worst-case  attack  results  in  a  lower  consequence  (however,  note  the  associated  attack 
changes  completely).  The  corresponding  costs  appear  in  Fig.  4. 


140  - 


Number  of  Attacks 

Fig.  6.  Resilience  curves.  In  the  absence  of  protection,  the  postat¬ 
tack  operating  costs  grow  approximately  linearly  with  the  number 
of  attacks.  With  each  additional  protection,  this  curve  (for  our  sim¬ 
ple  example)  becomes  less  steep,  indicating  improved  operational 
resilience  for  the  system. 

newly  built  links  will  be  invulnerable  to  attack. 
However,  we  also  assume  that  it  “costs”  twice  as 
much  to  build  a  new  link  than  to  protect  an  existing 
one.  Under  these  assumptions,  which  links,  if  any, 
should  we  build,  and  which  links  should  we  protect? 


The  table  in  Fig.  7  shows  the  postattack  operat¬ 
ing  cost  for  different  defensive  budget  levels.  Here, 
we  represent  defensive  budget  in  simple  cardinal¬ 
ity  terms  (to  simplify  exposition — we  have  included 
much  more  complicated  investment  considerations  in 
other  such  models),  where  it  “costs”  one  unit  of  de¬ 
fense  to  protect  a  single  link  and  two  units  of  defense 
to  build  a  new,  invulnerable  link.  For  each  budget 
level,  we  consider  all  possible  combinations  of  links 
to  build  and  protect,  and  for  each  combination  we 
solve  the  Defender  Model  (Equation  (3))  with  each 
assumed  number  of  attacks.  The  values  in  this  table 
report  the  resulting  postattack  operating  costs,  and  a 
smaller  cost  value  indicates  a  better  defense. 

In  many  of  these  cases,  we  observe  that  it  is  more 
effective  to  build  new  links  than  to  defend  existing 
ones.  This  is  not  surprising  because  adding  links 
to  the  network  serves  to  shorten  the  average  path 
length  between  nodes  in  the  network,  and  this  helps 
to  reduce  the  operating  cost  of  the  system,  in  addition 
to  providing  redundant  paths.  However,  building 
new  links  is  not  a  strictly  dominant  strategy,  and  even 
in  this  small  example  we  observe  all  combinations  of 
build-only,  build-some-protect-others,  and  protect- 
only.  Figs.  7(b)-(e)  illustrate  in  more  detail  the  best 
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Fig.  7.  Improving  operational  resilience  with  new  construction.  Panel  (a)  shows  the  potential  (dashed)  links  that  are  available  for  construc¬ 
tion.  Under  the  assumption  that  building  a  new  link  costs  twice  as  much  as  protecting  an  existing  one,  we  consider  the  optimal  defensive 
investment  for  different  budget  levels.  The  table  shows  the  postattack  operating  cost  for  0-5  attacks;  values  in  bold  correspond  to  the  op¬ 
timal  (lowest-cost)  defensive  investments  for  the  given  budget  and  the  specified  number  of  attacks.  The  values  in  boxes  correspond  to  the 
cases  in  Panels  (b)-(e),  showing  the  optimal  investment  of  a  defensive  budget  of  four  when  there  are  2-5  attacks,  respectively.  In  some  sit¬ 
uations,  it  is  better  to  build  new  links,  while  in  others  it  is  better  to  protect  existing  ones.  In  this  example,  the  defenses  cannot  be  prioritized 
into  a  rank-ordered  list. 


defense  solutions  when  the  defense  budget  is  four 
units.  An  optimal  defense  against  two  attacks  (Fig. 
7(b))  is  to  build  two  new  links,  specifically  [3,  8]  and 
[5, 10].  An  optimal  defense  against  three  attacks  (Fig. 
7c)  is  to  build  one  new  link  ([3,8])  and  then  protect 
two  links  ([10,11]  and  [10,13]).  An  optimal  defense 
against  four  attacks  (Fig.  7(d))  is  to  build  a  different 
new  link  ([5,10])  and  then  protect  a  different  pair 
of  links  ([1,5]  and  [10,  11]).  An  optimal  defense 
against  five  attacks  (Fig.  7(e))  is  to  protect  four  links 
([2,  7],  [7,  8],  [10,  11],  and  [10,  13]).  Thus,  the  best 
combinations  of  links  to  build  or  protect  can  be  very 
different  depending  on  the  number  of  attacks. 

4.3.3.  Committing  to  a  Defense 

Casting  infrastructure  resilience  in  terms  of  our 
Attacker  Model  (Equation  (2))  and  Defender  Model 
(Equation  (3))  allows  us  to  identify  the  sets  of 
component  losses  that  result  in  worst-case  operat¬ 
ing  costs,  as  well  as  the  defenses  (via  protection 
or  new  construction)  that  optimally  mitigate  these 
worst-case  disruptions.  However,  as  shown  with  our 


notional  infrastructure  system,  what  is  “best”  in 
terms  of  defense  often  depends  specifically  on  the 
number  of  attacks,  and  thus  the  links  in  our  exam¬ 
ple  cannot  be  strictly  prioritized  into  a  simple  rank- 
ordered  list.  This  is  ubiquitous  because  the  value  of 
a  component  depends  on  its  interaction  with  others 
(see  Alderson  et  for  a  discussion). 

In  general,  we  will  not  know  the  size  of  the  dis¬ 
ruption  that  we  will  face.  The  point  of  this  is  that 
by  presenting  the  resilience  of  the  system  in  terms 
of  a  curve,  one  does  not  make  any  judgments  a  pri¬ 
ori  about  the  specific  disruption  magnitudes  that  are 
relevant.  Uncertainty  about  the  actual  magnitude  of 
disruption  that  we  face  is  mitigated  by  showing  the 
sensitivity  of  the  system  to  different  levels  of  disrup¬ 
tion  magnitude. 

Nonetheless,  decisions  about  defensive  invest¬ 
ment,  particularly  when  they  involve  physical  con¬ 
struction  that  is  permanent,  require  that  we  commit 
to  a  single  defensive  plan,  often  articulated  as  a  prior¬ 
ity  list  and  perhaps  implemented  in  stages  over  time. 
Given  the  necessity  to  select  only  a  single  defense, 
we  can  solve  for  a  prioritized  list  of  components  tot 
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Fig.  8.  Example  of  nondominant  investment  options.  The 
resilience  curves  that  would  result  from  three  defensive 
investments — namely  (1)  protect  links  [2,  7]  and  [10, 13],  (2)  build 
link  [3,  8],  and  (3)  build  link  [5,  10] — show  that  none  of  these 
is  strictly  “more  resilient”  than  the  others.  However,  given  these 
choices,  building  link  [5, 10]  seems  to  be  the  best  choice. 


protec  in  an  iterative  manner.  Specifically,  we  enu¬ 
merate  the  number  of  defenses  (i.e.,  defense Jbudget 
=  1,2,.. .),  and  solve  for  a  single  new  defense  at  each 
step  and  then  fix  the  defense  variable  correspond¬ 
ing  to  that  defended  component  for  subsequent 
steps. 

More  simply,  in  the  context  of  our  notional  in¬ 
frastructure,  assume  that  we  have  a  defensive  budget 
of  two  units,  meaning  for  this  system  that  we  can  ei¬ 
ther  build  a  single  new  link  or  that  we  can  protect  two 
links.  Based  on  the  results  in  Fig.  4,  we  observe  that 
links  [2,  7]  and  [10,  13]  are  among  the  most  impor¬ 
tant  to  protect.  Also,  our  analysis  of  new  construc¬ 
tion  reveals  that  links  [3,  8]  and  [5,10]  are  among  the 
most  important  to  build.  Given  these  three  defense 
options,  which  one  is  the  best,  and  how  does  it  com¬ 
pare  to  the  status  quo? 

Fig.  8  illustrates  the  resilience  curve  for  the 
baseline  system,  along  with  the  resilience  curves  that 
would  result  from  each  of  these  three  possible  defen¬ 
sive  investments.  We  observe  that  each  of  these  three 
options  results  in  postattack  operating  costs  that  are 
strictly  lower  than  the  baseline  system,  meaning  that 
any  of  these  defensive  investments  would  yield  a  sys¬ 
tem  that  is  more  resilient  than  the  current  one.  How¬ 
ever,  we  also  observe  that  none  of  the  new  resilience 
curves  is  strictly  lower  than  the  others,  meaning 
that  none  of  these  solutions  dominates  the  others  in 
terms  of  the  resilience  that  it  provides.  Nonetheless, 
we  observe  that  building  link  [5, 10]  yields  the  lowest 
postattack  operating  cost  for  all  cases  except  for  two 


attacks,  and  even  there  it  is  a  close  second  choice. 
For  this  reason,  building  link  [5,  10]  seems  to  be  the 
best  defensive  investment  decision  for  this  assumed 
budget  based  on  resilience  as  the  only  criteria. 

In  practice,  real  defensive  investment  decisions 
are  likely  to  depend  on  not  just  resilience  and  cost,  as 
described  here,  but  also  other  regulatory,  economic, 
and  political  criteria.  Further,  the  example  shows  that 
the  resilience  curves  for  different  investment  options 
might  not  strictly  dominate  one  another,  making  it 
impossible  to  say  that  one  system  is  more  resilient 
than  another.^^^  Even  so,  the  use  of  resilience  curves 
to  quantify  operational  resilience  is  a  critically  im¬ 
portant  first  step  toward  more  rigorous  cost-benefit 
analysis  for  infrastructure  defense. 

5.  DISCUSSION  OF  MODELS 

While  it  might  not  be  possible  to  specify  a  pri¬ 
ori  the  final  consequence  associated  with  any  disrup¬ 
tion,  the  ability  to  articulate  the  Operator  Model  as 
a  set  of  rules,  operating  procedures,  or  as  a  norma¬ 
tive  decision  model  means  that  it  is  possible  to  ex¬ 
plore  “what-if”  scenarios  using  numerical  simulation 
or  other  techniques. 

In  the  models  presented  here,  we  restrict  atten¬ 
tion  to  a  system  of  components,  and  in  doing  so  we 
narrow  the  view  of  possible  disruptions  to  those  that 
are  known  to  affect  the  function  of  the  infrastructure. 
Moreover,  when  assessing  the  operational  resilience 
of  an  infrastructure  system,  we  restrict  the  adaptive 
behavior  of  the  system  to  the  choices  defined  in  the 
Operator  Model.  Some  researchers  have  argued  that 
a  key  feature  of  resilience  is  the  ability  of  a  system  to 
reconfigure  itself  in  the  presence  of  disruption  (i.e., 
to  self-organize,  as  might  be  done  by  humans  in  re¬ 
sponse  to  a  disaster).  To  the  extent  that  one  can  de¬ 
scribe  the  way  in  which  this  might  happen,  it  becomes 
possible  to  incorporate  this  in  the  Operator  Model. 
If  one  is  unable  to  describe  either  this  emergent  be¬ 
havior  or  the  rules  that  might  lead  to  it,  then  our  ap¬ 
proach  to  resilience  suffers  no  more  than  any  other 
in  predicting  system  response  to  disruption. 

Nonetheless,  the  models  in  this  article  have  been 
deliberately  restricted  in  scope  to  keep  our  analy¬ 
sis  simple  and  accessible.  We  therefore  comment  on 
ways  in  which  the  techniques  presented  in  this  article 
can  be  adapted  to  consider  a  broader  range  of  issues. 

5.1.  Model  Scalability 

The  notional  infrastructure  in  this  article  is  de¬ 
liberately  small  for  illustrative  purposes,  but  the  type 
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of  Operator  Model  presented  here  can  be  solved  at 
very  large  scale.  In  the  commercial  world,  compa¬ 
nies  routinely  solve  problems  involving  millions  of 
variables  and  hundreds  of  thousands  of  constraints. 
The  bilevel  Attacker  Model  is  typically  at  least  an 
order  of  magnitude  or  more  larger  than  the  Opera¬ 
tor  Model  to  which  it  is  applied  because  of  the  need 
to  solve  for  the  best  flows  in  response  to  every  com¬ 
bination  of  attacks  under  consideration.  Even  here, 
these  models  can  be  solved  at  large  scale.  For  ex¬ 
ample,  when  considering  worst-case  disruptions  to  an 
electric  power  grid,  Salmeron  et  have  solved 

Attacker  Models  consisting  of  thousands  of  electri¬ 
cal  buses,  high-voltage  lines,  transformers,  and  sub¬ 
stations.  Defender  Models  are  more  complicated  yet 
because  of  the  interaction  of  defense  and  attack  com¬ 
binations.  Nonetheless,  using  appropriate  decompo¬ 
sition  algorithms, the  trilevel  optimization  in  the 
Defender  Model  can  be  solved  very  efficiently — all  of 
the  computational  results  in  this  article  take  less  than 
30  minutes  to  generate  on  a  laptop  computer. 

We  have  formulated  and  solved  Defender  Mod¬ 
els  significantly  larger  than  the  example  presented  in 
this  article.  One  such  realistic  model  that  we  have 
built  and  solved  considers  the  traffic  handling  func¬ 
tion  of  the  major  roads  and  bridges  of  the  San  Fran¬ 
cisco  Bay  Area.^®®^  The  Operator  Model  contains 
91  nodes  and  266  directed  arcs,  represents  origin- 
destination  traffic  demands  between  every  pair  of 
2,292  census  tracts,  includes  an  extremely  accu¬ 
rate  piece-wise-linear  approximation  to  the  nonlin¬ 
ear  congestion  function  currently  used  by  California 
Department  of  Transportation  traffic  engineers, 
and  has  been  validated  against  rush-hour  traffic  pat¬ 
terns  under  many  actual  scenarios,  including  the  loss 
of  the  San  Francisco  Bay  Bridge  during  major  re¬ 
pairs.  Results  from  this  model  include  (1)  the  dis¬ 
covery  that  the  blockage  of  a  small  section  of  Inter¬ 
state  880  for  a  single  day  can  cause  more  short-term 
disruption  to  commuting  traffic  than  the  complete 
closure  of  any  of  the  seven  major  bridges  over  the 
same  time,  and  (2)  the  loss  of  the  Bay  Bridge  for  two 
years  is  more  disruptive  than  the  loss  of  the  Golden 
Gate  Bridge  for  five  years.  Insights  from  this  model 
have  been  cited  directly  by  the  and  the 

Defender  Model,  which  explicitly  models  increased 
operational  costs  (such  as  delays  and  reduced  ca¬ 
pacity)  for  protecting  bridges,  tunnels,  and  highway 
segments,  solves  within  a  few  hours  and  provides 
clear  defensive  plans  that  are  both  face -valid,  mathe¬ 
matically  sound,  and  politically  defensible. 
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5.2.  Model  Extensions 

The  constrained  optimization  problems  de¬ 
scribed  here  are  general  mathematical  programs,  and 
as  such,  the  example  in  this  article  can  be  extended  in 
any  number  of  ways.  For  example,  we  can  replace  the 
simple  constraints  on  the  number  of  attacks  and  the 
number  of  defenses  with  more  general  constraints 
on  attacker  and  defender  capabilities,  including  re¬ 
source  constraints  that  express,  for  example,  limits  on 
finances,  personnel,  or  equipment,  logical  constraints 
on  permitted  or  prohibited  combinations  of  targets. 
That  is,  if  we  have  a  reasonable  estimate  of  the  re¬ 
sources  that  constrain  adversary  behavior  (money, 
labor,  explosives,  etc.),  and  we  have  reasonable  es¬ 
timates  of  the  cost  of  each  attack  in  terms  of  each  of 
these  resources,  then  we  can  write  one  budget  con¬ 
straint  for  each  resource,  and  end  up  with  a  model 
that  considers  those  details,  but  is  no  harder  to  solve 
than  the  original.  Examples  of  such  constraints  have 
been  applied  to  large  capital  planning  models^^®^  and 
models  of  industrial  projects. We  can  have  as 
many  of  these  constraints  as  we  desire;  they  do  not 
complicate  the  models  significantly,  and  our  solution 
algorithms  remain  effective.  With  more  general  con¬ 
straints  on  attacker  capability  we  can,  for  instance, 
model  defense  options  that  make  attacks  more  ex¬ 
pensive.  (To  a  limited  extent,  we  have  already  done 
this.  Attacking  the  parallel  links  has  a  cost  of  two, 
and  we  assume  that  new  construction  costs  twice  that 
of  protection.  Again,  see  the  appendices  for  details.) 

Thus,  we  can  also  model  deterrence — that  is,  the 
“stay  at  home”  behavior  of  an  attacker  whose  costs 
have  been  rendered  intolerable  by  our  defenses. 

In  addition,  our  models  can  easily  incorporate 
persistence  in  defenses.  That  is,  if,  for  any  reason,  we 
are  committed  to  protecting  a  subset  of  components, 
we  can  fix  the  associated  defensive  variables  in  our 
Defender  Model  (Equation  (3)).  And  just  as  for  at¬ 
tacks,  we  can  identify  not  just  the  optimal  course  ac¬ 
tion  for  the  defender,  but  also  the  second-best  (or 
third-best,  etc.)  defenses  and  their  relative  benefit. 
Such  an  enumeration  of  near-optimal  courses  action 
allows  a  policymaker  to  reconcile  tradeoffs  between 
the  quality  of  a  defense  and  other  factors  not  explic¬ 
itly  represented  in  the  model  (e.g.,  political  or  social 
acceptability). 

Here,  we  have  restricted  attention  to  the  com¬ 
plete  loss  (or  defense)  of  components.  This  technique 
generalizes  to  accommodate  the  partial  loss  (or  de¬ 
fense),  but  we  do  not  describe  that  here.  We  can 
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also  model  other  “shocks”  to  the  system,  for  exam¬ 
ple,  a  dramatic  change  in  the  demands  placed  on  the 
system,  as  happens  for  regional  transportation  when 
there  is  a  mass  evacuation. 

Although  building  an  Operator  Model  requires 
significant  up-front  investment,  the  relatively  slow 
pace  at  which  infrastructure  changes  means  that 
these  models  are  available  for  reuse  when  the  need 
arises. 

The  model  in  this  article  considers  only  a  single 
instantaneous  attack  and  a  single  instantaneous 
response  to  that  attack.  We  can  also  model  the 
behavior  of  the  system  over  time,  including  the 
repair  (or  reconstitution)  of  components  that  return 
to  operation  on  some  forecast  schedule.  However, 
we  typically  do  not  model  multiple  attacks  over  time 
because  we  assume  that  after  the  first  attack,  the 
operating  conditions  change  substantively  enough 
for  both  the  operator  and  the  attacker  to  preclude 
other  attacks  over  our  planning  horizon.  Here,  we 
are  modeling  singular  events,  not  full-scale  war. 

5.3.  Model  Applicability 

The  modeling  and  analysis  techniques  described 
in  this  article  have  been  applied  to  a  variety  of 
systems.  Most  relevant  to  this  article,  these  tech¬ 
niques  have  been  applied  to  real  infrastructure 
systems  across  a  range  of  sectors.  In  the  context  of 
the  electric  power  grid,  attacker-defender  models 
have  been  used  to  analyze  the  vulnerability  of 
major  portions  of  the  U.S.  national  grid,^^^)  the 
dependence  of  U.S.  military  installations  on  the 
public  grid,^®^)  and  the  resilience  of  electric  infras¬ 
tructure  in  U.S.  territories.*®^)  The  basic  technique 
has  also  been  successfully  applied  to  civilian  and 
military  petroleum  pipeline  systems*"^’^’®"^’®^*  and 
multimodal  transport  of  petroleum  and  coal.*®®“®*) 
The  use  of  constrained  optimization  to  improve 
operations  or  system  restoration  has  also  been 
applied  to  natural  gas  infrastructure  systems.*®®’^™* 
Attacker-defender  techniques  have  been  applied  to 
telecommunication  systems,  specifically  terrestrial 
backbone  networks, undersea  cable  systems, 
and  wireless  networks. Defender-attacker- 
defender  techniques  have  been  successfully  applied 
to  regional  highway  transportation  systems*^^’®®*  and 
railroad  systems. 

The  use  of  constrained  optimization  and  game 
theory  for  identifying  worst-case  disruptions  to  op¬ 
erations  and  for  planning  defenses  against  them  has 
applicability  to  more  than  just  infrastructure  systems. 


Again,  the  key  to  the  successful  application  of  this 
technique  is  the  development  of  operational  mod¬ 
els  of  system  behavior.  Recent  success  stories  include 
the  study  of  worst-case  adversarial  action  in  the  con¬ 
text  of  industrial  projects,*®®)  undersea  warfare, *^®^) 
and  ballistic  missile  defense.*^®®)  These  are  examples 
where  the  Operator  Model  does  not  take  the  form  of 
a  network  flow  problem.  We  have  built  dozens  of  op¬ 
erational  models  of  various  infrastructures,  each  with 
their  own  peculiarities,  and  so  far  we  have  not  found 
any  that  cannot  be  modeled  in  some  reasonable  way. 
If  the  Operator  Model  can  be  formulated  and  solved 
in  a  reasonable  amount  of  time  then  the  formulations 
of  the  Attacker  Model  and  the  Defender  Model  are 
usually  straightforward,  and  the  algorithms  to  solve 
them  are  now  standard.*®^) 

If  the  Operator  Model  is  nonconvex,  or  if  it  is 
nonlinear  and  contains  discrete  variables,  the  mod¬ 
els  might  take  significantly  longer  to  solve,  or  might 
require  a  linear  or  quadratic  approximation.  How¬ 
ever,  the  formulations  for  the  Attacker  and  De¬ 
fender  Models  would  still  follow  the  same  pattern. 
It  is  even  possible  to  use  simulation-optimization, 
where  the  Operator  Model  is  itself  a  simulation,  and 
the  Attacker  and  Defender  Models  use  optimization 
wrapped  around  this.  The  algorithms  to  solve  these 
models  have  to  be  adapted  a  bit,  and  might  end  up 
being  more  heuristic,  but  the  technique  is  general.*®^) 

5.4.  The  Role  of  Uncertainty 

The  mathematical  formulations  here  are  deter¬ 
ministic,  in  the  sense  that  all  model  inputs  are  as¬ 
sumed  with  certainty,  and  the  “result”  of  any  single 
model  excursion  follows  directly  from  those  inputs. 
In  practice,  we  plan  on  solving  many  model  excur¬ 
sions  with  different  inputs.  This  type  of  parametric 
analysis  can  be  of  much  greater  practical  value  than 
the  classical  sensitivity  analysis  taught  in  optimiza¬ 
tion  textbooks  (see  Brown  and  Rosenthal*^®^)  for  a 
discussion). 

Although  our  focus  in  this  article  is  on  worst-case 
disruptions  to  infrastructure  operation,  our  Operator 
Model  is  agnostic  about  the  source  of  a  disruption.  In 
the  realm  of  natural  disasters,  accidents,  or  random 
failures,  we  might  try  to  define  a  probability  distribu¬ 
tion  over  the  set  of  disruptive  events  X,  and  replace 
the  worst-case  (“max”)  operator  from  the  Attacker 
Problem  with,  for  example,  an  expectation  or  some 
other  measure  of  risk. 

In  practice,  the  expected  value  is  often  a  poor 
choice  of  measure  for  risk-informed  decisions. *^®®’^®®) 
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Our  point  here  is  simply  that  one  can  use  probabilis¬ 
tic  techniques  for  risk  in  conjunction  with  our  Op¬ 
erator  Models,  for  those  who  favor  these  techniques. 
For  simplicity,  we  restrict  attention  to  calculating  and 
minimizing  the  expected  disruption. 

The  appropriate  form  of  the  expected  disrup¬ 
tion,  as  formulated  here,  is  a  stochastic  optimization 
problem: 


min  f(x,  y)) 

y€Y(x) 


(4) 


Here,  x  is  a  random  variable  and  denotes  the  ex¬ 
pectation  with  regard  to  x.  As  with  Equation  (2),  the 
operator  takes  action  only  after  the  (now  random) 
disruption,  and  thus  Equation  (4)  represents  the 
expected  cost  of  operating  the  system  in  the  presence 
of  disruption.  The  validity  of  such  calculations  hinges 
entirely  on  estimates  of  the  probability  distribution 
for  X  .  We  are  wary  of  such  estimates,  particularly 
when  they  involve  correlations  between  system 
components,  and  we  therefore  choose  to  focus 
exclusively  here  on  the  admittedly  (and  deliberately) 
conservative  max-min  formulation. 

Defending  against  random  disruptions  becomes 
no  more  complicated.  We  seek  defensive  investment 
w  to  minimize  the  expected  cost  of  operating  the  sys¬ 
tem  in  the  presence  of  a  disruption: 


min  Ex 

weW 


min 

yey{w,x) 


/(w,i,y)) 


(5) 


As  long  as  the  Operator  Model  is  formulated  as  an 
optimization  problem  (see  Birge  and  Louveaux*^^°^ 
for  an  introduction  to  formulating  and  solving 
stochastic  optimization  models),  our  models  and  al¬ 
gorithms  can  be  applied  with  no  significant  change. 

In  practice,  infrastructure  system  owners  and  op¬ 
erators  must  contend  with  both  expected  and  worst- 
case  disruptions,  and  in  principle  a  combination  of 
Equations  (3)  and  (5)  could  be  used  to  obtain  the 
required  insight.  Such  ideas  have  been  considered 
by  Zhuang  and  Bier^^^^*  in  the  context  of  “inten¬ 
tional  and  unintentional  threats,”  but  their  inner¬ 
most  models  are  not  sufficiently  “operational”  to 
study  infrastructure  in  the  way  we  have  described 
here. 


5.5.  Interdiction  Versns  Hijacking 


This  assumption  is  sometimes  known  as  “fail  off” 
in  the  context  of  communication  systems,  and  it  has 
been  an  underlying  assumption  for  the  architectural 
design  of  the  Internet.* However,  a  very  dif¬ 
ferent  situation  arises  when  the  system  has  compo¬ 
nents  that  “fail  on” — that  is,  they  continue  to  interact 
with  other  system  components,  but  do  not  follow  the 
rules,  or  protocols,  for  interaction.  This  type  of  dis¬ 
ruption  can  lead  to  system  hijacking,  that  is,  the  sys¬ 
tem  continues  to  operate  but  behaves  in  a  way  that  is 
not  intended. Instances  of  hijacking  are  preva¬ 
lent  in  technological  and  biological  systems,  and  they 
represent  some  of  the  most  challenging  problems  in 
these  domains  because  it  is  sometimes  the  very  mech¬ 
anisms  designed  to  create  robustness  and  resilience 
that  are  hijacked  for  other  purposes. *^"*47,ii4) 

The  techniques  in  this  article  are  not  designed  to 
assess  the  impact  of  hijacking.  Nonetheless,  the  types 
of  disruptions  considered  here  account  for  a  large 
number  of  possible  scenarios,  and  addressing  them 
would  go  a  long  way  to  making  infrastructure  systems 
more  resilient.  Handling  these  types  of  hijacking  sce¬ 
narios,  particularly  as  they  pertain  to  cyber  vulnera¬ 
bilities,  is  an  important  topic  for  future  research. 


5.6.  Robust  Optimization 

There  is  now  a  growing  literature  in  the  field  of 
robust  optimization  that  dates  back  to  Wald’s  min- 
max  model  for  worst-case  uncertainty. *^^^416) 
bust  optimization  has  been  applied  to  a  variety 
of  problems  in  discrete  optimization  and  network 
flows. *^^^418)  Most  of  these  models  take  a  bilevel 
form — there  is  an  initial  design  stage  followed  by  the 
realization  of  an  uncertain  scenario.  In  the  context 
of  our  infrastructure  defense  problems,  this  corre¬ 
sponds  to  a  defender-attacker  problem,*^*  in  which 
the  defender  makes  an  initial  investment  in  harden¬ 
ing  or  prepositioning,  and  the  attacker  follows  with 
the  worst-case  attack.  Our  trilevel  Defender  Model 
can  be  viewed  as  a  type  of  robust  optimization  in 
which  there  is  an  additional  inner  model  of  operation 
(after  the  uncertain  attack  is  realized)  that  includes 
adaptation.  This  inclusion  of  adaptation  through  the 
use  of  an  Operator  Model  is  what  distinguishes 
our  models  from  the  existing  literature  in  robust 
optimization. 


The  technique  in  this  article  works  well  for  situ¬ 
ations  involving  interdiction  of  system  components. 
But  it  implicitly  assumes  that  components  are  ei¬ 
ther  going  to  be  present  and  functional,  or  absent. 


6.  CONCLUSION 

To  introduce  and  demonstrate  our  definition 
of  system  resilience,  along  with  supporting  analytic 
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techniques,  we  intentionally  chose  a  model  instance 
that  is  so  simple  the  reader  can  grasp  normal  oper¬ 
ations  by  inspection.  Yet,  for  the  same  example  it  is 
not  easy  to  answer  straightforward  questions  about 
how  the  system  operator  would  respond  to  damage, 
how  interdependencies  between  components  yield 
vulnerabilities  that  can  seriously  disrupt  system 
function,  or  how  the  defender  should  allocate  limited 
resources  to  increase  resilience  to  damage.  This  is 
where  having  a  validated  mathematical  model  of 
system  operation  offers  tremendous  value — it  can 
provide  a  rapid  and  objective  calculation  of  the  con¬ 
sequence  of  damage  to  any  set  of  components,  and 
can  therefore  be  used  to  identify  vulnerabilities  and 
to  evaluate  the  improvement  in  resilience  provided 
by  any  defensive  plan. 

The  United  States  is  currently  spending  billions 
of  dollars  on  homeland  security  via  federal,  state,  and 
local  governments,  and  the  most  recent  policy  guid¬ 
ance  in  PPD21  suggests  that  resilience  is  going  to  be 
a  key  objective  in  future  spending.  Given  this  large 
investment,  we  strongly  advocate  the  use  of  methods 
that  (1)  reflect  the  operation  of  an  infrastructure  as 
a  system  and  evaluate  its  continuity  of  function  in 
the  presence  of  a  disruptive  event,  (2)  incorporate 
the  inherent  ability  of  existing  infrastructure  systems 
to  adapt  to  disruptions  or  changes  to  their  operating 
environment,  and  (3)  facilitate  the  systematic  explo¬ 
ration  of  disruptive  events  and  their  potential  conse¬ 
quences,  whether  or  not  they  are  perceived  as  likely 
threats. 

Our  definition  of  resilience  is  qualitatively 
consistent  with  suggestions  that  have  been  made 
in  the  past,  including  by  our  most  senior  govern¬ 
ment  policymakers,  but  we  also  show  how  to  make 
quantitative  assessments  and  evaluate  specific  alter¬ 
natives  for  real  systems.  These  techniques  scale  up 
to  realistic  size  and  fidelity, and  admit  a  host 
of  standard  models,  many  already  in  use  by  system 
operators.  We  have  used  scores  of  these  models  to 


assess  resilience  of  a  wide  range  of  systems.  Again 
and  again,  the  same  insights  emerge:  (1)  the  ability 
to  assess  actual  system  function  is  the  key  to  an 
objective  evaluation  of  consequence,  (2)  systems 
consist  of  individual  components,  but  these  compo¬ 
nents  interact  in  complex  ways  and  usually  cannot 
be  evaluated  in  isolation,  (3)  simple  rank  ordering 
of  actions  by  any  player  is  usually  impossible,  (4) 
trying  to  guess  what  an  attacker  might  do  instead  of 
systematically  evaluating  his  feasible  courses  of  ac¬ 
tion  underestimates  vulnerability,  and  overestimates 
resilience,  and  (5)  it  is  important  to  have  a  definition 
of  resilience  that  is  unambiguous  and  relies  on 
well-documented,  reproducible  modeling  and  com¬ 
putation.  We  have  been  able  to  present  our  resilience 
assessments  to  senior  policymakers  at  the  local,  state, 
and  federal  levels,  with  confidence  that  they  fully 
understand  our  analysis,  and  we  have  frequently 
seen  this  advice  implemented  to  good  effect. 
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APPENDK  A:  OPERATOR  MODEL 
MATHEMATICAL  FORMULATION 

Although  the  example  in  this  article  is  simple 
enough  that  the  base  flows  can  be  solved  by  inspec¬ 
tion,  we  present  the  formal  Operator,  Attacker,  and 
Defender  Models  needed  to  obtain  complete  results. 

In  what  follows,  we  use  barrels  as  fuel  units  and 
dollars  as  cost  units,  but  this  is  generic. 
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Indices  and  Sets 

neN 

{hj)&A 

Data  [units] 

Cjj 

Uij 

Xij 

(lij 

d„ 


nodes  (alias  i,  j) 

undirected  edge  between  nodes  i  and  j,  i  <j 
directed  arc  from  node  i  to  node  j 
[i,j]eE  [i  <  j)  A  e  A  A  ij,i)  e  A)) 

per  unit  cost  of  traversing  arc  {i,j)  eA  [dollars/barrel] 

upper  bound  on  total  (undirected)  flow  on  edge  [i,j]  E  E  [barrels] 

1  if  edge  [i,j]  E  E  damaged,  0  otherwise  [binary] 

per  unit  penalty  cost  of  traversing  arc  {i,j)  E  A  if  damaged  [dollars/barrel] 
fuel  supply  at  node  n  E  N  [barrels] 

(-demand  for  d„  <  0) 

per  unit  penalty  cost  for  demand  shortfall  n  E  N  [dollars/barrel] 


Decision  Variables  [units] 


Formulation 


flow  on  arc  {i,j)  E  A  [barrels] 
fuel  shortfall  at  node  nE  N  [barrels] 


min 

y,s 

^  ^  [{eij  E  Qijdiij) 

s.t. 

E  y-  E 

0  <  Ti  +  Yji  <  Uij 

S„>Q 

(DO) 

Vn  6  V 

(Dl) 

'd[i,j]EE 

(D2) 

Vn  6  V 

(D3) 

Discussion 

The  objective  function  (DO)  combines  the  to¬ 
tal  flow  cost  and  the  total  penalty  cost.  Constraints 
(Dl)  enforce  balance  of  flow  at  each  node.  Stipu¬ 
lations  (D2)  and  (D3)  ensure  bounds  on  decision 
variables.  This  formulation  implements  cost-based 
interdiction — that  is,  damage  to  an  arc  makes  it  ex¬ 
tremely  expensive  but  not  infeasible — which  makes 
the  problem  easier  to  solve  computationally. 


In  the  above  example,  we  have  =  10  for  n  e 
{8, 10}  and  d„  —  —1  otherwise.  In  addition,  we  set 
Cij  —  1,  Uij  —  15,  and  qij  >  10  for  all  (i,  j)  e  A,  uij  > 
14  for  all  [/,  j]  E  E,  and  pn  —  10  for  all  n  e  N. 

APPENDIX  B:  ATTACKER  MODEL 
MATHEMATICAL  FORMULATION 

The  Attacker  Model  builds  on  the  previous  for¬ 
mulation  but  has  additional  elements. 
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Additional  Data  [units] 

Tij  “cost”  to  break  edge  [i,j]  6  E  [cardinality] 

attack _budget  budget  constraint  on  the  number  of  simultaneous  attacks  [cardinality] 

Additional  Decision  Variables  [units] 

Xij  1  if  attacker  breaks  edge  [i,j]  6  if,  0  otherwise  [binary] 

Formulation 

max  min  E  [i^Cij  Qij  Xij'j  Xij  (^Cji  ^  [  Pn  Sn  (ADO) 

[•JIE-B  new 

s.t.  (D1),(D2),(D3) 

Tij Xij  <  attack Jjudget  (ADI) 

[iJlew 

Ay  6  {0,1}  V[i,j]6£;  (AD2) 


The  objective  function  (ADO)  is  the  same  as  that 
for  the  Operator  Model  (DO),  except  that  parame¬ 
ters  Xij  have  been  replaced  by  decision  variables  Xij . 
Constraint  (ADI)  limits  the  number  of  simultaneous 
attacks,  and  the  cost  to  attack  each  edge  can  be  dif¬ 
ferent.  Stipulations  (AD2)  require  that  attacks  are 
binary.  We  note  that  qij  —  0  implies  that  arc  (i,  j)  is 
effectively  invulnerable  because  attacking  it  does  not 
not  increase  the  flow  cost  for  the  operator. 


In  the  above  example,  we  model  parallel  edges 
as  costing  twice  as  much  to  attack.  That  is,  we  have 
^23  =  r4_8  =  ri2,i6  =  2  and  all  other  =  1. 

APPENDIX  C:  DEFENDER  MODEL 
MATHEMATICAL  FORMULATION 

The  Defender  Model  builds  on  the  previous  for¬ 
mulation  but  has  additional  elements. 
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Additional  Sets 

set  of  additional  edges  available  to  be  built,  HE  =  $ 
[iJjeE^^  <t=>  (i<j)A{{i,j)eAA(j,i)eA)) 

Additional  Data  [units] 

hij  “cost”  to  protect  edge  [i,j]  eE  [cardinality] 

hfj  “cost”  to  build  edge  [i,j]  6  E^  [cardinality] 

defense-budget  budget  constraint  on  the  number  of  defenses  [cardinality] 

Additional  Decision  Variables  [units] 

Wij  1  if  defender  protects  edge  [i,j]  E  E,  0  otherwise  [binary] 

IVy  1  if  defender  builds  edge  [i,j]  6  E^ ,  0  otherwise  [binary] 


Formulation 

min  max  min  E  [(Cjj  +  —  Wij))  Yij  +  (Cji  +  QjiXij  {l  —  Wij))Yji]  + 

[1,3]  EE 


^  '  [djYij  CjiYji]  ^  '^PnSn 

[i,j]eES  nev 

(D1),(D2),(D3),(AD1),(AD2) 

(DADO) 

O^Yij+YjiKUijWf^j 

Vli,j]eE^ 

(DADl) 

hijWij  +  ^  hf jWf'j  <  defense -budget 

holEE  [i,i\(iEB 

(DAD2) 

Wij  E  {0,  1} 

Vli,j]eE 

(DADS) 

6(0,1} 

Vli,j]eE^ 

(DAD4) 

The  objective  (DADO)  includes  the  cost  of  flow 
over  existing  (and  possibly  damaged  or  protected) 
edges,  flow  over  newly  built  edges,  and  penalties  for 
unmet  demand.  Constraints  (DADl)  allow  flow  only 
on  new  edges  if  they  have  been  built.  The  constraint 
(DAD2)  requires  that  the  cost  of  all  defenses  fall 
within  the  existing  defense  budget;  the  cost  of  pro¬ 
tecting  and  building  edges  can  be  different.  Stipula¬ 
tions  (DADS)  and  (DAD4)  enforce  binary  defenses. 

In  the  above  example,  we  assume  that  it  costs 
twice  as  much  to  build  a  new  edge  as  to  protect  an 
existing  one,  that  is,  hij  =  1,  V[/,  7]  e  E  and  hfj  — 
2,V[/,7]e£«. 

In  principle,  solving  the  Defender  Model  re¬ 
quires  nothing  more  than  enumerating  every  possible 
combination  of  defense  and  attack,  then  solving  the 
corresponding  Operator  Model  for  each,  and  then 
finding  the  one  that  yields  the  lowest  cost.  In  practice, 
such  enumeration  is  impractical.  Alderson  et 
provide  details  of  a  decomposition  algorithm  to  solve 
models  of  this  type  without  exhaustive  enumeration. 


REFERENCES 

1.  The  White  House.  Presidential  Policy  Directive:  Critical  In¬ 
frastructure  Security  and  Resilience.  Washington.  DC,  2013. 

2.  Title  42  US  Code,  Sec  5195c  et  seq  2006  Supp  IV, 
2011.  Critical  Infrastructures  Protection.  Available  at: 
http://www.gpo.gov/.  Accessed  February  14,  2015. 

3.  Homeland  Security  Council  (HSC).  National  Strategy  for 
Homeland  Security.  Washington,  DC:  White  House,  2007. 

4.  Brown  G,  Carlyle  W,  Salmeron  J,  Wood  R.  Analyzing  the 
vulnerability  of  critical  infrastructure  to  attack,  and  planning 
defenses.  Pp.  102-123  in  Greenberg  H,  Smith  J  (eds).  Tutori¬ 
als  in  Operations  Research:  Emerging  Theory,  Methods,  and 
Applications.  Hanover,  MD:  Institute  for  Operations  Re¬ 
search  and  Management  Science,  2005. 

5.  Brown  G,  Carlyle  WM,  Salmeron  J,  Wood  K.  Defending  crit¬ 
ical  infrastructure.  Interfaces,  2006;  36:530-544. 

6.  Wood  AJ,  Wollenberg  BF.  Power  Generation,  Operation 
and  Control,  2nd  ed.  New  York:  Wiley,  1996. 

7.  Alderson  D,  Brown  G,  Carlyle  W,  Cox  L.  Sometimes  there 
is  no  “most  vital”  arc:  Assessing  and  improving  the  opera¬ 
tional  resilience  of  systems.  Military  Operations  Research, 
2013;  8;21-37. 

8.  Shapley  L.  A  value  for  n-person  games.  Pp.  307-317  in 
Kuhn  H,  Tucker  A  (eds).  Contributions  to  the  Theory  of 
Games,  Vol.  II,  Volume  28  of  Annals  of  Mathematical  Stud¬ 
ies.  Princeton,  NJ;  Princeton  University  Press,  1953. 


584 


Alderson,  Brown,  and  Carlyle 


9.  Ford  L,  Fulkerson  D.  Maximal  Flow  Through  a  Network. 
Technical  Report.  Santa  Monica,  CA:  RAND  Corporation, 
Research  Memorandum  RM-1400, 1954. 

10.  Alderson  D.  Catching  the  “network  science”  bug:  Insight  and 
opportunity  for  the  operations  researcher.  Operations  Re¬ 
search,  2008;  56:1047-1065. 

11.  Albert  R,  Albert  I,  GL  N.  Structural  vulnerability  of  the 
North  American  power  grid.  Physical  Review  E,  2004; 
69:025103-025106. 

12.  Wang  JW,  Rong  LL.  Cascade-based  attack  vulnerability  on 
the  US  power  grid.  Safety  Science,  2009;  47:1332-1336. 

13.  Hines  P,  Cotilla-Sanchez  E,  Blumsack  S.  Do  topological 
models  provide  good  information  about  electricity  infrastruc¬ 
ture  vulnerability?  Chaos:  An  Interdisciplinary  Journal  of 
Nonlinear  Science,  2010;  20:033122-033122. 

14.  Doyle  JC,  Alderson  D,  Li  L,  Low  S,  Roughan  M,  Shalunov  S, 
Tanaka  R,  Willinger  W.  The  “robust  yet  fragile”  nature  of  the 
Internet.  Proceedings  of  the  National  Academy  of  Sciences 
of  the  United  States  of  America,  2005;  102:14497-14502. 

15.  Willinger  W,  Alderson  DL,  Doyle  JC.  Mathematics  and  the 
Internet:  A  source  of  enormous  confusion  and  great  poten¬ 
tial.  Notices  of  the  AMS,  2009;  56:586-599. 

16.  Department  of  Homeland  Security  (DHS).  Critical  Infras¬ 
tructure  Sector  Partnerships,  2013.  Available  at:  http://www. 
dhs.gov/critical-infrastructure-sector-partnerships.  Accessed 
August  3,  2013. 

17.  Alderson  D.  Doyle  J.  Contrasting  views  of  complexity  and 
their  implications  for  network-centric  infrastructures.  IEEE 
Transactions  on  Systems,  Man,  Cybernetics  A:  Systems  and 
Humans,  2010;  40:839-852. 

18.  O’Neill  R,  Helman  U,  Hobbs  B,  Baldick  R.  Independent  sys¬ 
tem  operators  in  the  United  States:  History,  lessons  learned, 
and  prospects.  Pp.  479-528  in  Sioshansi,  F,  Pfaffenberger,  W 
(eds).  Electricity  Market  Reform:  An  International  Perspec¬ 
tive.  Oxford:  Elsevier,  2006. 

19.  Wardrop  JG.  Some  theoretical  aspects  of  road  traffic  re¬ 
search.  Proceedings  of  the  Institute  of  Civil  Engineers,  Part 
II,  1952;  1:325-378. 

20.  Beckmann  M.  On  the  theory  of  traffic  flows  in  networks. 
Traffic  Quarterly,  1967;  2:109-116. 

21.  Rardin  R.  Optimization  in  Operations  Research.  Upper  Sad¬ 
dle  River,  NJ:  Prentice  Hall,  1997. 

22.  Alderson  D,  Li  L,  Willinger  W,  Doyle  J.  Understand¬ 
ing  Internet  topology:  Principles,  models,  and  validation. 
lEEE/ACM  Transactions  on  Networking,  2005;  13:1205- 
1218. 

23.  Salmeron  J,  Wood  K,  Baldick  R.  Analysis  of  electric  grid  se¬ 
curity  under  terrorist  threat.  IEEE  Transactions  on  Power 
Systems,  2004;  19:905-912. 

24.  Hwang  CL,  F  A  Tillman  F,  Lee  MH.  System-reliability  evalu¬ 
ation  techniques  for  complex/large  systems:  A  review.  IEEE 
Transactions  on  Reliability,  1981;  R-30:416-423. 

25.  Billinton  R,  Allan  R.  Reliability  Evaluation  of  Engineer¬ 
ing  Systems;  Concepts  and  Techniques,  2nd  ed.  New  York: 
Plenum  Press,  1992. 

26.  Jorion  P.  Value  at  Risk:  A  New  Benchmark  for  Measuring 
Derivatives  Risk.  New  York:  Irwin  Professional  Publishers, 
1996. 

27.  Rockafellar  RT,  Uryasev  S.  Conditional  value-at-risk  for 
general  loss  distributions.  Journal  of  Banking  &  Finance, 
2002;  26:1443-1471. 

28.  Page  M,  Alderson  D,  Doyle  J.  The  magnitude  distri¬ 
bution  of  earthquakes  near  southern  California  faults. 
Journal  of  Geophysical  Research:  Solid  Earth,  2011; 
116:1978-2012. 

29.  Hiemer  S,  Jackson  DD,  Wang  Q,  Kagan  YY,  Woessner  J, 
Zechar  J,  Wiemer  S.  A  stochastic  forecast  of  California  earth¬ 
quakes  based  on  fault  slip  and  smoothed  seismicity.  Bulletin 
of  the  Seismological  Society  of  America,  2013;  103:799-810. 


30.  Pate-Cornell  M,  Guikema  S.  Probabilistic  modeling  of  ter¬ 
rorist  threats:  A  systems  analysis  approach  to  setting  priori¬ 
ties  among  countermeasures.  Military  Operations  Research, 
2002;  7:5-23. 

31.  Garrick  B,  Hall  J,  McDonald  JC,  OToole  T,  Probst  PS, 
Parker  E,  Rosenthal  R,  Trivelpiece  A,  Van  Arsdale  L,  Ze- 
broski  E.  Confronting  the  risks  of  terrorism:  Making  the  right 
decisions.  Reliability  Engineering  and  System  Safety,  2004; 
86:129-176. 

32.  Parnell  G,  Liebe  R,  Dillon-Merrill  R,  Buede  D,  Scouras  J, 
Colletti  B,  Cummings  M,  McGarvey  D,  Newport  R,  Vinch  P. 
Homeland  Security  Risk  Assessment:  Volume  I — An  Illus¬ 
trative  Framework  and  Volume  II:  Appendices  of  Methods. 
Washington,  DC:  Homeland  Security  Institute,  2005. 

33.  Willis  HH,  Mortal  AR,  Kelly  TK,  Medby  JJ.  Estimating  Ter¬ 
rorism  Risk.  Santa  Monica,  CA:  Rand  Corporation,  2006. 

34.  McGill  W,  Ayyub  B,  Kaminskiy  M.  Risk  analysis  for  critical 
asset  protection.  Risk  Analysis,  2007;  27:1265-1281. 

35.  Ezell  BC,  Bennett  SP,  Von  Winterfeldt  D,  Sokolowski  J, 
Collins  AJ.  Probabilistic  risk  analysis  and  terrorism  risk.  Risk 
Analysis,  2010;  30:575-589. 

36.  Willis  HH.  Guiding  resource  allocations  based  on  terrorism 
risk.  Risk  Analysis,  2007;  27:597-606. 

37.  ASME  (American  Society  of  Mechanical  Engineers)  In¬ 
novative  Technologies  Institute.  RAMCAP,  Risk  Analysis 
and  Management  for  Critical  Asset  Protection,  2008.  Avail¬ 
able  at:  http://www.asme-iti.org/RAMCAP,  Accessed  May 
14,  2011. 

38.  Keeney  R.  Modeling  values  for  anti-terrorism  analysis.  Risk 
Analysis,  2007;  27:585-596. 

39.  Bier  V.  Choosing  what  to  protect.  Risk  Analysis,  2007; 
27:607-620. 

40.  Bier  VM,  Haphuriwat  N,  Menoyo  J,  Zimmerman  R,  Culpen 
AM.  Optimal  resource  allocation  for  defense  of  targets  based 
on  differing  measures  of  attractiveness.  Risk  Analysis,  2008; 
28:763-770. 

41.  Department  of  Homeland  Security  (DHS).  National  Infras¬ 
tructure  Protection  Plan.  Washington,  DC:  Department  of 
Homeland  Security,  2009. 

42.  National  Research  Council  (NRC).  Committee  on  Method¬ 
ological  Improvements  to  the  Department  of  Homeland 
Security’s  Biological  Agent  Risk  Analysis.  Department  of 
Homeland  Security  Bioterrorist  Risk  Assessment:  A  Call  for 
Change.  Washington,  DC:  National  Academies  Press,  2008. 

43.  National  Research  Council  (NRC).  Committee  to  Review 
the  Department  of  Homeland  Security’s  Approach  to  Risk 
Analysis.  Review  of  the  Department  of  Homeland  Secu¬ 
rity’s  Approach  to  Risk  Analysis.  Washington,  DC:  National 
Academies  Press,  2010. 

44.  Cox  A.  Some  limitations  of  risk  =  threat  x  vulnerability  x 
consequence  for  risk  analysis  of  terrorist  attacks.  Risk  Anal¬ 
ysis,  2008;  28:1749-1761. 

45.  Cox  A.  What’s  wrong  with  hazard-ranking  systems?  An  ex¬ 
pository  note.  Risk  Analysis,  2009;  29:940-948. 

46.  Cox  L.  Game  theory  and  risk  analysis.  Risk  Analysis, 
2009;29:1062-1068. 

47.  Brown  G,  Cox  A.  How  probabilistic  risk  assessment  can  mis¬ 
lead  terrorism  risk  analysis.  Risk  Analysis,  2011;  31:196-204. 

48.  Brown  G,  Cox  A.  Making  terrorism  risk  analysis  less  harmful 
and  more  useful:  Another  try.  Risk  Analysis,  2011;  31:193- 
195. 

49.  Apostolakis  GE,  Lemon  DM.  A  screening  methodology  for 
the  identification  and  ranking  of  infrastructure  vulnerabilities 
due  to  terrorism.  Risk  Analysis,  2005;  25:361-376. 

50.  Stamatelatos  M,  Dezfuli  H,  Apostolakis  G,  Everline  C, 
Guarro  S,  Mathias  D,  Mosleh  A,  Paulos  T,  Riha  D,  Smith 
C,  Vesely  W,  Youngblood  R.  Probabilistic  Risk  Assessment 
Procedures  Guide  for  NASA  Managers  and  Practitioners, 
2011.  Technical  Report  NASA/SP-2011-3421,  NASA. 


Operational  Models  of  Infrastructure  Resilience 


51.  Wood  R.  Bilevel  network  interdiction  models:  Formu¬ 
lations  and  solutions.  Pp.  1-11  in  Cochran  J  (ed.)  Wi¬ 
ley  Encyclopedia  of  Operations  Research  and  Manage¬ 
ment  Science.  New  York:  John  Wiley  &  Sons,  2011. 
[doil0.1002/9780470400531.eorms0932] 

52.  Washburn  A,  Wood  R.  Two-person  zero-sum  games  for  net¬ 
work  interdiction.  Operations  Research,  1995;  43:243-251. 

53.  von  Stackelberg  HV.  Grundlagen  einer  reinen  Kostentheo- 
rie.  Vienna:  Verlag  von  Julius  Springer,  1932. 

54.  Park  J,  Seager  T,  Rao  P,  Convertino  M,  Linkov  I.  Integrating 
risk  and  resilience  approaches  to  catastrophe  management  in 
engineering  systems.  Risk  Analysis,  2013;  23:356-367. 

55.  Holling  C.  Resilience  and  stability  of  ecological  systems.  An¬ 
nual  Review  of  Ecology  and  Systematics,  1973;  4:1-23. 

56.  Hollnagel  E,  Woods  D,  Leveson  N  (eds).  Resilience  Engi¬ 
neering:  Concepts  and  Precepts.  Aldershot,  UK;  Ashgate 
Press,  2006. 

57.  Madni  A,  Jackson  S.  Towards  a  conceptual  framework  for  re¬ 
silience  engineering.  IEEE  Systems  Journal,  2009;  3:181-191. 

58.  Haimes  YY.  On  the  definition  of  resilience  in  systems.  Risk 
Analysis.  2009;  29:498-501. 

59.  Westrum  R.  A  typology  of  resilience  situations.  Pp.  49-60 
in  Hollnagel  E,  Woods  D,  Leveson  N  (eds).  Resilience  En¬ 
gineering:  Concepts  and  Precepts.  Aldershot,  UK:  Ashgate 
Press,  2006. 

60.  Zolli  A,  Healy  A.  Resilience:  Why  Things  Bounce  Back. 
New  York:  Free  Press,  2012. 

61.  Hale  A,  Heijer  T.  Defining  resilience.  Pp.  95-123  in  Holl¬ 
nagel  E,  Woods  D,  Leveson  N  (eds).  Resilience  Engineering: 
Concepts  and  Precepts.  Aldershot,  UK:  Ashgate  Press,  2006. 

62.  Woods  D.  Essential  characteristics  of  resilience.  Pp.  49-60 
in  Hollnagel  E,  Woods  D,  Leveson  N  (eds).  Resilience  En¬ 
gineering:  Concepts  and  Precepts.  Aldershot,  UK:  Ashgate 
Press,  2006. 

63.  Leveson  N,  Dulac  N,  Zipkin  D,  Cutcher-Gershenfeld  J,  Car- 
roll  J,  Barrett  B.  Engineering  resilience  into  safety-critical 
systems.  Pp.  95-123  in  Hollnagel  E,  Woods  D,  Leveson 
N  (eds).  Resilience  Engineering:  Concepts  and  Precepts. 
Aldershot,  UK:  Ashgate  Press,  2006. 

64.  Ottino  J.  Engineering  complex  systems.  Nature,  2004; 
427:399. 

65.  Willinger  W,  Govindan  R,  Jamin  S,  Paxson  V,  Shenker  S. 
Scaling  phenomena  in  the  Internet:  Critically  examining 
criticality.  Proceedings  of  the  National  Academy  of  Sciences 
USA,  2002;  99:2573-2580. 

66.  Haimes  Y,  Crowther  K,  Horowitz  B.  Homeland  security  pre¬ 
paredness:  Balancing  protection  with  resilience  in  emergent 
systems.  Systems  Engineering,  2006;  11:287-308. 

67.  Reed  D,  Kapur  K,  Christie  R.  Methodology  for  assessing 
the  resilience  of  networked  infrastructure.  IEEE  Systems 
Journal,  2009;  3:174-180. 

68.  Ta  C,  Goodchild  A,  Pitera  K.  Structuring  a  definition  of  re¬ 
silience  for  the  freight  transportation  system.  Transportation 
Research  Record:  Journal  of  the  Transportation  Research 
Board,  2009;  2097:19-25. 

69.  Chen  L,  Miller-Hooks  E.  Resilience:  An  indicator  of  recov¬ 
ery  capability  in  intermodal  freight  transport.  Transportation 
Science,  2012;  46:109-123. 

70.  Nair  R,  Avetisyan  H,  Miller-Hooks  E.  Resilience  framework 
for  ports  and  other  intermodal  components.  Transportation 
Research  Record:  Journal  of  the  Transportation  Research 
Board,  2010;  2166:54-65. 

71.  Omer  M,  Mostashari  A,  Nilchiani  R,  Mansouri  M.  A  frame¬ 
work  for  assessing  resiliency  of  maritime  transportation 
systems.  Maritime  Policy  &  Management,  2012;  39:685-703. 

72.  Freckleton  D,  Heaslip  K,  Louisell  W,  Collura  J.  Evaluation 
of  resiliency  of  transportation  networks  after  disasters. 
Transportation  Research  Record:  Journal  of  the  Transporta¬ 
tion  Research  Board,  2012;  2284:109-116. 


585 


73.  Hughes  J,  Healy  K.  Measuring  the  resilience  of  transport 
infrastructure.  Technical  Report  Research  Report  546. 
Washington,  DC:  Transportation  Research  Board,  the 
National  Academies,  2014. 

74.  Vugrin  E,  Warren  D,  Ehlen  M,  Camphouse  R.  A  framework 
for  assessing  the  resilience  of  infrastructure  and  economic 
systems.  Pp.  77-116  in  Gopalakrishnan  K,  Peeta  S  (eds). 
Sustainable  and  Resilient  Critical  Infrastructure  Systems: 
Simulation,  Modeling,  and  Intelligent  Engineering.  New 
York:  Springer-Verglag,  2010. 

75.  Vugrin  E,  Warren  D,  Ehlen  M.  A  resilience  assessment 
framework  for  infrastructure  and  economic  systems:  Quan¬ 
titative  and  qualitative  resilience  analysis  of  petrochemical 
supply  chains  to  a  hurricane.  Pp.  77-116  in  Gopalakrishnan 
D,  Peeta  S  (eds).  Proceedings  of  6th  Global  Congress  on 
Process  Safety,  American  Institute  of  Chemical  Engineers. 
San  Antonio,  TX,  2010. 

76.  Rose  A.  Defining  and  measuring  economic  resilience  to 
disasters.  Disaster  Prevention  and  Management,  2004; 
13:307-314. 

77.  Rose  A.  Economic  resilience  to  natural  and  man-made  dis¬ 
asters;  Multidisciplinary  origins  and  contextual  dimensions. 
Environmental  Hazards,  2007;  7:383-398. 

78.  Rose  A.  Economic  Resilience  to  Disasters.  Technical  Re¬ 
port,  CARRI  Research  Report  8,  Oakridge,  TN:  Community 
&  Regional  Resilience  Institute,  2009. 

79.  US  Government  Accountability  Office  (GAO).  Critical 
Infrastructure  Protection:  Update  to  National  Infrastruc¬ 
ture  Protection  Plan  Includes  Increased  Emphasis  on  Risk 
Management  and  Resilience,  2010,  Washington,  DC:  US 
Government  Accountability  Office  Report,  GAO-10-296, 
March  5,  2010. 

80.  Department  of  Homeland  Security  (DHS),  Risk  Steering 
Committee.  DHS  Risk  Lexicon.  Washington,  DC,  2010. 

81.  Flynn  S.  The  Edge  of  Disaster;  Rebuilding  a  Resilient 
Nation.  New  York:  Random  House,  2007. 

82.  Brown  G,  Dell  R.  Formulating  linear  and  integer  linear 
programs:  A  rogues’  gallery.  INFORMS  Transactions  on 
Education,  2007;  7:153-159. 

83.  Alderson  D,  Brown  G,  Carlyle  W,  Wood  RK.  Solving 
defender-attacker-defender  models  for  infrastructure  de¬ 
fense.  Pp.  28-49  in  Wood  K,  Dell  R  (eds).  Operations 
Research,  Computing  and  Homeland  Defense.  Hanover, 
MD:  Institute  for  Operations  Research  and  the  Management 
Sciences,  2011. 

84.  Salmeron  J,  Wood  K,  Baldick  R.  Worst-case  interdiction 
analysis  of  large-scale  electric  power  grids.  IEEE  Transac¬ 
tions  on  Power  Systems,  2009;  24:96-104. 

85.  Alderson  D,  Brown  G,  Carlyle  W.  Assessing  and  Improving 
Operational  Resilience  of  Critical  Infrastructures  and  Other 
Systems.  Hanover,  MD:  Institute  for  Operations  Research 
and  Management  Science,  2014  [to  appear  in  Tutorials  in 
Operations  Research], 

86.  Alderson  D,  Brown  G,  Carlyle  W,  Wood  RK.  Optimizing 
the  Operational  Resilience  of  Regional  Infrastructure:  A 
Case  Study  of  the  Highway  System  in  the  San  Francisco  Bay 
Area,  Presentation,  INFORMS  Computing  Society  Meeting, 
Santa  Fe,  NM,  January  6,  2013. 

87.  California  Metropolitan  Transportation  Commission.  Initial 
Examination  of  Volume  Delay  Functions  Using  PeMS 
Data,  2012.  Available  at:  http://mtcgis.mtc.ca.gov/foswiki/ 
pub/Main/Documents/2012  _  03  _  06  _  RELEASE  _  Volume  _ 
delay_functions.pdf.  Accessed  April  30,  2013. 

88.  Department  of  Homeland  Security  (DHS),  Homeland  In¬ 
frastructure  Threat  and  Risk  Analysis  Center.  Infrastructure 
Impact  Assessment  28  October  2009:  San  Francisco  Bay 
Bridge  Closure.  Washington,  DC;  DHS,  2009. 

89.  Brown  G,  Dell  R,  Newman  A.  Optimizing  military  capital 
planning.  Interfaces,  2004;  34:415-425. 


586 


Alderson,  Brown,  and  Carlyle 


90.  Brown  G,  Carlyle  W,  Harney  R,  Skroch  E,  Wood  R.  In¬ 
terdicting  a  nuclear-weapons  project.  Operations  Research, 
2009;  57:866-877. 

91.  Salmeron  J,  Wood  K.  Final  Report  on  DOE  Research 
Project  DE-AI02-05ER25670:  Reducing  the  Vulnerability 
of  Electric  Power  Grids  to  Terrorist  Attack.  Technical 
Report  NPS-OR-09-003-PR,  Naval  Postgraduate  School. 
Distribution  authorized  to  U.S.  Government  Agencies  only 
(sensitive  information),  2009. 

92.  Salmeron  J,  Alderson  D,  Brown  G.  Resilience  Report: 
Electric  Power  Infrastructure  Supporting  Mission  Assurance 
at  Vandenberg  Air  Force  Base  (U).  Naval  Postgraduate 
School,  Technical  Report  NPS-OR-11-008,  2011.  [Distri¬ 
bution  authorized  to  U.S.  Government  Agencies  and  their 
contractors  due  to  military  infrastructure.] 

93.  Salmeron  J,  Alderson  D,  Brown  G,  Wood  R.  Resilience 
Report:  The  Guam  Power  Authority  Electric  Power  Grid: 
Analyzing  Vulnerability  to  Physical  Attack  (U).  Naval 
Postgraduate  School,  Technical  Report  NPS-OR-12-002, 

2012.  [Distribution  authorized  to  DoD  and  DoD  contractors 
only  due  to  infrastructure  vulnerability  analysis.] 

94.  Chankij  MK,  Assessing  the  Resiliency  of  the  JP8  Distribu¬ 
tion  System  on  Guam.  Master's  thesis.  Naval  Postgraduate 
School,  Monterey,  CA,  2012. 

95.  Montgomery  JD.  Oahu  Petroluem  Infrastructure  Resilience. 
Master’s  thesis,  Naval  Postgraduate  School,  Monterey,  CA, 

2013. 

96.  Onuska  J.  Defending  the  Pittsburgh  Waterways  Against 
Catastrophic  Disruption.  Master’s  thesis,  Naval  Postgraduate 
School,  Monterey,  CA,  2012. 

97.  Burton  C.  Analyzing  the  U.S.  Military  Fuel  Distribution 
Network  on  Okinawa.  Master’s  thesis,  Naval  Postgraduate 
School,  Monterey,  CA,  2013. 

98.  Long  C.  Analyzing  the  Resilience  of  the  Fuel  Distribu¬ 
tion  System  for  Mainland  Japan.  Master’s  thesis,  Naval 
Postgraduate  School,  Monterey,  CA,  2013. 

99.  Avery  W,  Brown  G,  Rosenkranz  J,  Wood  R.  Optimization 
of  purchase,  storage  and  transmission  contracts  for  natural 
gas  utilities.  Operations  Research,  1992  40:446-462. 

100.  Coffrin  C,  van  Hentenryck  P,  Bent  R.  Last  mile  restoration 
for  multiple  interdependent  infrastructures.  In  Proceed¬ 
ings  of  the  Twenty-Sixth  AAAI  Conference  on  Artificial 
Intelligence  (AAAI  2012),  Toronto,  Canada,  2012. 

101.  Barkley  T.  An  Attacker-Defender  Model  for  IP-Based 
Networks.  Master’s  thesis.  Naval  Postgraduate  School, 
Monterey,  CA,  2007. 

102.  Crain  J.  Assessing  Resilience  in  the  Global  Undersea  Cable 
Infrastructure.  Master’s  thesis.  Naval  Postgraduate  School, 
Monterey,  CA,  2012. 


103.  Shankar  A,  Optimal  Jammer  Placement  to  Interdict  Wire¬ 
less  Network  Services.  Master’s  thesis.  Naval  Postgraduate 
School,  Monterey,  CA,  2008. 

104.  Babick  JP.  Tri-Level  Optimization  of  Critical  Infrastructure 
Resilience.  Master’s  thesis.  Naval  Postgraduate  School, 
Monterey,  CA,  2009. 

105.  Brown  G,  Kline  J,  Thomas  A,  Washburn  A,  Wood  K. 
A  game-theoretic  model  for  defense  of  an  oceanic  bas¬ 
tion  against  submarines.  Operations  Research,  2011;  16: 
25-40. 

106.  Brown  G,  Carlyle  M,  Diehl  D,  Kline  J,  Wood  K.  A  two-sided 
optimization  for  theater  ballistic  missile  defense.  Operations 
Research,  2005;  53:263-275. 

107.  Brown  G,  Rosenthal  R.  Optimization  tradecraft:  Hard-won 
insights  from  real-world  decision  support.  Interfaces,  2008; 
38:356-366. 

108.  Aven  T,  Kprte  J.  On  the  use  of  risk  and  decision  analysis  to 
support  decision-making.  Reliability  Engineering  &  System 
Safety,  2003;  79:289-299. 

109.  Savage  S.  The  Flaw  of  Averages:  Why  We  Underestimate 
Risk  in  the  Face  of  Uncertainty.  New  York:  John  Wiley  & 
Sons,  2009. 

110.  Birge  JR,  Louveaux  F.  Introduction  to  Stochastic  Program¬ 
ming.  New  York:  Springer,  1997. 

111.  Zhuang  J,  Bier  V.  Balancing  terrorism  and  natural  dis¬ 
asters:  Defensive  strategy  with  endogenous  attack  effort. 
Operations  Research,  2007;  55:976-991. 

112.  Clark  DD.  The  design  philosophy  of  the  DARPA  Internet 
protocols.  ACM  SIGCOMM  Computer  Communications 
Review.  1988;  18:106-114. 

113.  Doyle  JC,  Carlson  J,  Low  SH,  Paganini  F,  Vinnicombe 
G,  Willinger  W,  Parrilo  P.  Robustness  and  the  Inter¬ 
net:  Theoretical  foundations.  In  Jen  E  (ed).  Robust 
Design:  A  Repertoire  from  Biology,  Ecology,  and 
Engineering.  Oxford,  UK:  Oxford  University  Press, 
2003. 

114.  Doyle  J,  Csete  M.  Architecture,  constraints,  and  behavior. 
Proceedings  of  the  National  Academy  of  Sciences,  2011; 
108:15624-15630. 

115.  Wald  A.  Statistical  decision  functions  which  minimize 
the  maximum  risk.  Annals  of  Mathematics,  1945;  46:265- 
280. 

116.  Danskin  J.  The  Theory  of  Max-Min.  New  York:  Springer- 
Verlag,  1967. 

117.  Bertsimas  D,  Sim  M.  The  price  of  robustness.  Operations 
Research,  2004;  52:35-53. 

118.  Bertsimas  D,  Brown  D,  Caramanis  C.  Theory  and  ap¬ 
plications  of  robust  optimization.  SIAM  Review,  2011; 
53:464-501. 


